Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/parse-server@9.6.0-alpha.38
Typenpm
Namespace
Nameparse-server
Version9.6.0-alpha.38
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version9.9.0-alpha.2
Latest_non_vulnerable_version9.9.1-alpha.2
Affected_by_vulnerabilities
0
url VCID-14fp-bjdd-uffh
vulnerability_id VCID-14fp-bjdd-uffh
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39381
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08572
published_at 2026-06-11T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08613
published_at 2026-06-12T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08617
published_at 2026-06-13T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.10074
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39381
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39381
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39381
3
reference_url https://github.com/parse-community/parse-server/pull/10406
reference_id 10406
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/
url https://github.com/parse-community/parse-server/pull/10406
4
reference_url https://github.com/parse-community/parse-server/pull/10407
reference_id 10407
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/
url https://github.com/parse-community/parse-server/pull/10407
5
reference_url https://github.com/advisories/GHSA-g4v2-qx3q-4p64
reference_id GHSA-g4v2-qx3q-4p64
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g4v2-qx3q-4p64
6
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
reference_id GHSA-g4v2-qx3q-4p64
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
fixed_packages
0
url pkg:npm/parse-server@9.8.0-alpha.7
purl pkg:npm/parse-server@9.8.0-alpha.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dhkw-d15h-rkb5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.7
aliases CVE-2026-39381, GHSA-g4v2-qx3q-4p64
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-14fp-bjdd-uffh
1
url VCID-2rxm-qxur-9ygu
vulnerability_id VCID-2rxm-qxur-9ygu
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33624
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09911
published_at 2026-06-11T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09951
published_at 2026-06-14T12:55:00Z
2
value 0.00032
scoring_system epss
scoring_elements 0.0996
published_at 2026-06-12T12:55:00Z
3
value 0.00032
scoring_system epss
scoring_elements 0.09965
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33624
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33624
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33624
3
reference_url https://github.com/parse-community/parse-server/pull/10275
reference_id 10275
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/
url https://github.com/parse-community/parse-server/pull/10275
4
reference_url https://github.com/parse-community/parse-server/pull/10276
reference_id 10276
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/
url https://github.com/parse-community/parse-server/pull/10276
5
reference_url https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff
reference_id 5e70094250a36bfcc14ecd49592be2b94fba66ff
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/
url https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff
6
reference_url https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c
reference_id fc3da35a81d5083b453e8967cabcc880f1a3bd0c
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/
url https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c
7
reference_url https://github.com/advisories/GHSA-2299-ghjr-6vjp
reference_id GHSA-2299-ghjr-6vjp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2299-ghjr-6vjp
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp
reference_id GHSA-2299-ghjr-6vjp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.54
purl pkg:npm/parse-server@9.6.0-alpha.54
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-49m3-j488-yqes
2
vulnerability VCID-7jbf-hw56-9bcx
3
vulnerability VCID-cbrh-vg1p-3ua7
4
vulnerability VCID-dhkw-d15h-rkb5
5
vulnerability VCID-dyd6-6yy1-hyhn
6
vulnerability VCID-gngn-8vy6-bkg7
7
vulnerability VCID-hs5q-jk5r-7ya8
8
vulnerability VCID-mm7p-maf1-eyhq
9
vulnerability VCID-n4s7-6vvk-skfz
10
vulnerability VCID-nqev-h9w8-pudy
11
vulnerability VCID-nt51-v9gk-w3e8
12
vulnerability VCID-vmwk-3myb-u7ds
13
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54
aliases CVE-2026-33624, GHSA-2299-ghjr-6vjp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2rxm-qxur-9ygu
2
url VCID-49m3-j488-yqes
vulnerability_id VCID-49m3-j488-yqes
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34373
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06235
published_at 2026-06-11T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06228
published_at 2026-06-14T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06257
published_at 2026-06-12T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06245
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34373
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34373
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34373
3
reference_url https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
reference_id 0347641507891d0013ec57f7c10f012064f41263
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/
url https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
4
reference_url https://github.com/parse-community/parse-server/pull/10334
reference_id 10334
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/
url https://github.com/parse-community/parse-server/pull/10334
5
reference_url https://github.com/parse-community/parse-server/pull/10335
reference_id 10335
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/
url https://github.com/parse-community/parse-server/pull/10335
6
reference_url https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
reference_id 4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/
url https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
7
reference_url https://github.com/advisories/GHSA-q3p6-g7c4-829c
reference_id GHSA-q3p6-g7c4-829c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q3p6-g7c4-829c
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
reference_id GHSA-q3p6-g7c4-829c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.10
purl pkg:npm/parse-server@9.7.0-alpha.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-cbrh-vg1p-3ua7
2
vulnerability VCID-dhkw-d15h-rkb5
3
vulnerability VCID-dyd6-6yy1-hyhn
4
vulnerability VCID-mm7p-maf1-eyhq
5
vulnerability VCID-n4s7-6vvk-skfz
6
vulnerability VCID-nt51-v9gk-w3e8
7
vulnerability VCID-vmwk-3myb-u7ds
8
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10
aliases CVE-2026-34373, GHSA-q3p6-g7c4-829c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-49m3-j488-yqes
3
url VCID-5bbt-8378-17d1
vulnerability_id VCID-5bbt-8378-17d1
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33323
reference_id
reference_type
scores
0
value 0.00051
scoring_system epss
scoring_elements 0.16288
published_at 2026-06-13T12:55:00Z
1
value 0.00051
scoring_system epss
scoring_elements 0.16256
published_at 2026-06-14T12:55:00Z
2
value 0.00051
scoring_system epss
scoring_elements 0.16135
published_at 2026-06-11T12:55:00Z
3
value 0.00051
scoring_system epss
scoring_elements 0.16278
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33323
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33323
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33323
3
reference_url https://github.com/parse-community/parse-server/pull/10238
reference_id 10238
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/
url https://github.com/parse-community/parse-server/pull/10238
4
reference_url https://github.com/parse-community/parse-server/pull/10243
reference_id 10243
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/
url https://github.com/parse-community/parse-server/pull/10243
5
reference_url https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5
reference_id 967aa57732202009b2389ce9ecb3130d53d657e5
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/
url https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5
6
reference_url https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3
reference_id fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/
url https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3
7
reference_url https://github.com/advisories/GHSA-h29g-q5c2-9h4f
reference_id GHSA-h29g-q5c2-9h4f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h29g-q5c2-9h4f
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f
reference_id GHSA-h29g-q5c2-9h4f
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.40
purl pkg:npm/parse-server@9.6.0-alpha.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-e84c-36en-wqaa
8
vulnerability VCID-gngn-8vy6-bkg7
9
vulnerability VCID-hs5q-jk5r-7ya8
10
vulnerability VCID-mdgb-p4u1-uud5
11
vulnerability VCID-mm7p-maf1-eyhq
12
vulnerability VCID-mxgt-92ep-73fj
13
vulnerability VCID-n4s7-6vvk-skfz
14
vulnerability VCID-n5mt-eebx-zbcf
15
vulnerability VCID-nqev-h9w8-pudy
16
vulnerability VCID-nt51-v9gk-w3e8
17
vulnerability VCID-q59u-ywkn-wbfw
18
vulnerability VCID-tuts-aegs-r7e7
19
vulnerability VCID-vmwk-3myb-u7ds
20
vulnerability VCID-wqxc-qnu8-q7d7
21
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40
aliases CVE-2026-33323, GHSA-h29g-q5c2-9h4f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5bbt-8378-17d1
4
url VCID-7jbf-hw56-9bcx
vulnerability_id VCID-7jbf-hw56-9bcx
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34224
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04657
published_at 2026-06-14T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04677
published_at 2026-06-11T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04679
published_at 2026-06-12T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04665
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34224
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34224
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34224
3
reference_url https://github.com/parse-community/parse-server/pull/10326
reference_id 10326
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/
url https://github.com/parse-community/parse-server/pull/10326
4
reference_url https://github.com/parse-community/parse-server/pull/10327
reference_id 10327
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/
url https://github.com/parse-community/parse-server/pull/10327
5
reference_url https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92
reference_id 661f160edac8daac0486bc94413cf9652876ab92
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/
url https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92
6
reference_url https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf
reference_id e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/
url https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf
7
reference_url https://github.com/advisories/GHSA-w73w-g5xw-rwhf
reference_id GHSA-w73w-g5xw-rwhf
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w73w-g5xw-rwhf
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf
reference_id GHSA-w73w-g5xw-rwhf
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.8
purl pkg:npm/parse-server@9.7.0-alpha.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-49m3-j488-yqes
2
vulnerability VCID-cbrh-vg1p-3ua7
3
vulnerability VCID-dhkw-d15h-rkb5
4
vulnerability VCID-dyd6-6yy1-hyhn
5
vulnerability VCID-hs5q-jk5r-7ya8
6
vulnerability VCID-mm7p-maf1-eyhq
7
vulnerability VCID-n4s7-6vvk-skfz
8
vulnerability VCID-nt51-v9gk-w3e8
9
vulnerability VCID-vmwk-3myb-u7ds
10
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8
aliases CVE-2026-34224, GHSA-w73w-g5xw-rwhf
risk_score 2.0
exploitability 0.5
weighted_severity 4.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbf-hw56-9bcx
5
url VCID-cbrh-vg1p-3ua7
vulnerability_id VCID-cbrh-vg1p-3ua7
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34595
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.1263
published_at 2026-06-11T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12707
published_at 2026-06-14T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12722
published_at 2026-06-12T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12729
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34595
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34595
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34595
3
reference_url https://github.com/parse-community/parse-server/pull/10350
reference_id 10350
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/
url https://github.com/parse-community/parse-server/pull/10350
4
reference_url https://github.com/parse-community/parse-server/pull/10351
reference_id 10351
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/
url https://github.com/parse-community/parse-server/pull/10351
5
reference_url https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98
reference_id f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/
url https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98
6
reference_url https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2
reference_id ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/
url https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2
7
reference_url https://github.com/advisories/GHSA-mmg8-87c5-jrc2
reference_id GHSA-mmg8-87c5-jrc2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmg8-87c5-jrc2
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2
reference_id GHSA-mmg8-87c5-jrc2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.16
purl pkg:npm/parse-server@9.7.0-alpha.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-dhkw-d15h-rkb5
2
vulnerability VCID-dyd6-6yy1-hyhn
3
vulnerability VCID-nt51-v9gk-w3e8
4
vulnerability VCID-vmwk-3myb-u7ds
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16
aliases CVE-2026-34595, GHSA-mmg8-87c5-jrc2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cbrh-vg1p-3ua7
6
url VCID-dhkw-d15h-rkb5
vulnerability_id VCID-dhkw-d15h-rkb5
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-43930
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01108
published_at 2026-06-11T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01301
published_at 2026-06-14T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01106
published_at 2026-06-12T12:55:00Z
3
value 0.0001
scoring_system epss
scoring_elements 0.01296
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-43930
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-43930
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-43930
3
reference_url https://github.com/parse-community/parse-server/pull/10448
reference_id 10448
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/
url https://github.com/parse-community/parse-server/pull/10448
4
reference_url https://github.com/parse-community/parse-server/pull/10449
reference_id 10449
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/
url https://github.com/parse-community/parse-server/pull/10449
5
reference_url https://github.com/advisories/GHSA-jpq4-7fmq-q5fj
reference_id GHSA-jpq4-7fmq-q5fj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jpq4-7fmq-q5fj
6
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj
reference_id GHSA-jpq4-7fmq-q5fj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj
fixed_packages
0
url pkg:npm/parse-server@9.9.0-alpha.2
purl pkg:npm/parse-server@9.9.0-alpha.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2
aliases CVE-2026-43930, GHSA-jpq4-7fmq-q5fj
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dhkw-d15h-rkb5
7
url VCID-dyd6-6yy1-hyhn
vulnerability_id VCID-dyd6-6yy1-hyhn
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39321
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.09019
published_at 2026-06-11T12:55:00Z
1
value 0.0003
scoring_system epss
scoring_elements 0.0907
published_at 2026-06-13T12:55:00Z
2
value 0.0003
scoring_system epss
scoring_elements 0.09067
published_at 2026-06-12T12:55:00Z
3
value 0.00031
scoring_system epss
scoring_elements 0.09485
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39321
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39321
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39321
3
reference_url https://github.com/parse-community/parse-server/pull/10398
reference_id 10398
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/
url https://github.com/parse-community/parse-server/pull/10398
4
reference_url https://github.com/parse-community/parse-server/pull/10399
reference_id 10399
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/
url https://github.com/parse-community/parse-server/pull/10399
5
reference_url https://github.com/advisories/GHSA-mmpq-5hcv-hf2v
reference_id GHSA-mmpq-5hcv-hf2v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmpq-5hcv-hf2v
6
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v
reference_id GHSA-mmpq-5hcv-hf2v
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v
fixed_packages
0
url pkg:npm/parse-server@9.8.0-alpha.6
purl pkg:npm/parse-server@9.8.0-alpha.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-dhkw-d15h-rkb5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6
aliases CVE-2026-39321, GHSA-mmpq-5hcv-hf2v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dyd6-6yy1-hyhn
8
url VCID-e84c-36en-wqaa
vulnerability_id VCID-e84c-36en-wqaa
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33429
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03023
published_at 2026-06-11T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03032
published_at 2026-06-14T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03021
published_at 2026-06-13T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03036
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33429
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33429
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33429
3
reference_url https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
reference_id 0c0a0a5a37ca821d2553119f2cb3be35322eda4b
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/
url https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
4
reference_url https://github.com/parse-community/parse-server/pull/10253
reference_id 10253
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/
url https://github.com/parse-community/parse-server/pull/10253
5
reference_url https://github.com/parse-community/parse-server/pull/10254
reference_id 10254
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/
url https://github.com/parse-community/parse-server/pull/10254
6
reference_url https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
reference_id c62eacaf38de86913f09240583448360b1cc8e67
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/
url https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
7
reference_url https://github.com/advisories/GHSA-qpc3-fg4j-8hgm
reference_id GHSA-qpc3-fg4j-8hgm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qpc3-fg4j-8hgm
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
reference_id GHSA-qpc3-fg4j-8hgm
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.43
purl pkg:npm/parse-server@9.6.0-alpha.43
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mdgb-p4u1-uud5
10
vulnerability VCID-mm7p-maf1-eyhq
11
vulnerability VCID-mxgt-92ep-73fj
12
vulnerability VCID-n4s7-6vvk-skfz
13
vulnerability VCID-nqev-h9w8-pudy
14
vulnerability VCID-nt51-v9gk-w3e8
15
vulnerability VCID-vmwk-3myb-u7ds
16
vulnerability VCID-wqxc-qnu8-q7d7
17
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43
aliases CVE-2026-33429, GHSA-qpc3-fg4j-8hgm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa
9
url VCID-g9b7-r5ry-mybm
vulnerability_id VCID-g9b7-r5ry-mybm
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33409
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08546
published_at 2026-06-14T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08551
published_at 2026-06-13T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08549
published_at 2026-06-12T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08511
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33409
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33409
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33409
3
reference_url https://github.com/parse-community/parse-server/pull/10246
reference_id 10246
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/
url https://github.com/parse-community/parse-server/pull/10246
4
reference_url https://github.com/parse-community/parse-server/pull/10247
reference_id 10247
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/
url https://github.com/parse-community/parse-server/pull/10247
5
reference_url https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c
reference_id 8d7df5639c4a35768fe8b78b4580b30e8a74721c
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/
url https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c
6
reference_url https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d
reference_id 98f4ba5bcf2c199bfe6225f672e8edcd08ba732d
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/
url https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d
7
reference_url https://github.com/advisories/GHSA-pfj7-wv7c-22pr
reference_id GHSA-pfj7-wv7c-22pr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pfj7-wv7c-22pr
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr
reference_id GHSA-pfj7-wv7c-22pr
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.41
purl pkg:npm/parse-server@9.6.0-alpha.41
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-e84c-36en-wqaa
8
vulnerability VCID-gngn-8vy6-bkg7
9
vulnerability VCID-hs5q-jk5r-7ya8
10
vulnerability VCID-mdgb-p4u1-uud5
11
vulnerability VCID-mm7p-maf1-eyhq
12
vulnerability VCID-mxgt-92ep-73fj
13
vulnerability VCID-n4s7-6vvk-skfz
14
vulnerability VCID-n5mt-eebx-zbcf
15
vulnerability VCID-nqev-h9w8-pudy
16
vulnerability VCID-nt51-v9gk-w3e8
17
vulnerability VCID-q59u-ywkn-wbfw
18
vulnerability VCID-tuts-aegs-r7e7
19
vulnerability VCID-vmwk-3myb-u7ds
20
vulnerability VCID-wqxc-qnu8-q7d7
21
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41
aliases CVE-2026-33409, GHSA-pfj7-wv7c-22pr
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g9b7-r5ry-mybm
10
url VCID-gngn-8vy6-bkg7
vulnerability_id VCID-gngn-8vy6-bkg7
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34215
reference_id
reference_type
scores
0
value 0.00085
scoring_system epss
scoring_elements 0.24728
published_at 2026-06-11T12:55:00Z
1
value 0.00085
scoring_system epss
scoring_elements 0.24923
published_at 2026-06-14T12:55:00Z
2
value 0.00085
scoring_system epss
scoring_elements 0.2494
published_at 2026-06-13T12:55:00Z
3
value 0.00085
scoring_system epss
scoring_elements 0.24927
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34215
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34215
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34215
3
reference_url https://github.com/parse-community/parse-server/pull/10323
reference_id 10323
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/
url https://github.com/parse-community/parse-server/pull/10323
4
reference_url https://github.com/parse-community/parse-server/pull/10324
reference_id 10324
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/
url https://github.com/parse-community/parse-server/pull/10324
5
reference_url https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
reference_id 770be8647424d92f5425c41fa81065ffbbb171ed
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/
url https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
6
reference_url https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
reference_id a1d4e7b12a12f16d3870dbee582a36765858e94c
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/
url https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
7
reference_url https://github.com/advisories/GHSA-wp76-gg32-8258
reference_id GHSA-wp76-gg32-8258
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wp76-gg32-8258
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258
reference_id GHSA-wp76-gg32-8258
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.7
purl pkg:npm/parse-server@9.7.0-alpha.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-49m3-j488-yqes
2
vulnerability VCID-7jbf-hw56-9bcx
3
vulnerability VCID-cbrh-vg1p-3ua7
4
vulnerability VCID-dhkw-d15h-rkb5
5
vulnerability VCID-dyd6-6yy1-hyhn
6
vulnerability VCID-hs5q-jk5r-7ya8
7
vulnerability VCID-mm7p-maf1-eyhq
8
vulnerability VCID-n4s7-6vvk-skfz
9
vulnerability VCID-nt51-v9gk-w3e8
10
vulnerability VCID-vmwk-3myb-u7ds
11
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7
aliases CVE-2026-34215, GHSA-wp76-gg32-8258
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gngn-8vy6-bkg7
11
url VCID-hs5q-jk5r-7ya8
vulnerability_id VCID-hs5q-jk5r-7ya8
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34363
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.0685
published_at 2026-06-11T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06848
published_at 2026-06-14T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06862
published_at 2026-06-13T12:55:00Z
3
value 0.00023
scoring_system epss
scoring_elements 0.06874
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34363
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34363
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34363
3
reference_url https://github.com/parse-community/parse-server/pull/10330
reference_id 10330
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/
url https://github.com/parse-community/parse-server/pull/10330
4
reference_url https://github.com/parse-community/parse-server/pull/10331
reference_id 10331
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/
url https://github.com/parse-community/parse-server/pull/10331
5
reference_url https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
reference_id 5834e29234593addaa0251a85f572ad4f376320b
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/
url https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
6
reference_url https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
reference_id 776c71c3078e77d38c94937f463741793609d055
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/
url https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
7
reference_url https://github.com/advisories/GHSA-m983-v2ff-wq65
reference_id GHSA-m983-v2ff-wq65
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m983-v2ff-wq65
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
reference_id GHSA-m983-v2ff-wq65
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.9
purl pkg:npm/parse-server@9.7.0-alpha.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-49m3-j488-yqes
2
vulnerability VCID-cbrh-vg1p-3ua7
3
vulnerability VCID-dhkw-d15h-rkb5
4
vulnerability VCID-dyd6-6yy1-hyhn
5
vulnerability VCID-mm7p-maf1-eyhq
6
vulnerability VCID-n4s7-6vvk-skfz
7
vulnerability VCID-nt51-v9gk-w3e8
8
vulnerability VCID-vmwk-3myb-u7ds
9
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9
aliases CVE-2026-34363, GHSA-m983-v2ff-wq65
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5q-jk5r-7ya8
12
url VCID-mdgb-p4u1-uud5
vulnerability_id VCID-mdgb-p4u1-uud5
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33527
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02576
published_at 2026-06-11T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02569
published_at 2026-06-13T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02579
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33527
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33527
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33527
3
reference_url https://github.com/parse-community/parse-server/pull/10263
reference_id 10263
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/
url https://github.com/parse-community/parse-server/pull/10263
4
reference_url https://github.com/parse-community/parse-server/pull/10264
reference_id 10264
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/
url https://github.com/parse-community/parse-server/pull/10264
5
reference_url https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73
reference_id 26b628c8fb3cc79ea955374769eebcff6f8a8a73
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/
url https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73
6
reference_url https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984
reference_id ea68fc0b22a6056c9675149469ff57817f7cf984
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/
url https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984
7
reference_url https://github.com/advisories/GHSA-jc39-686j-wp6q
reference_id GHSA-jc39-686j-wp6q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jc39-686j-wp6q
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
reference_id GHSA-jc39-686j-wp6q
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.48
purl pkg:npm/parse-server@9.6.0-alpha.48
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mm7p-maf1-eyhq
10
vulnerability VCID-mxgt-92ep-73fj
11
vulnerability VCID-n4s7-6vvk-skfz
12
vulnerability VCID-nqev-h9w8-pudy
13
vulnerability VCID-nt51-v9gk-w3e8
14
vulnerability VCID-vmwk-3myb-u7ds
15
vulnerability VCID-wqxc-qnu8-q7d7
16
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48
aliases CVE-2026-33527, GHSA-jc39-686j-wp6q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mdgb-p4u1-uud5
13
url VCID-mm7p-maf1-eyhq
vulnerability_id VCID-mm7p-maf1-eyhq
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34574
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.1263
published_at 2026-06-11T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12707
published_at 2026-06-14T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12722
published_at 2026-06-12T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12729
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34574
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34574
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34574
3
reference_url https://github.com/parse-community/parse-server/pull/10347
reference_id 10347
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/
url https://github.com/parse-community/parse-server/pull/10347
4
reference_url https://github.com/parse-community/parse-server/pull/10348
reference_id 10348
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/
url https://github.com/parse-community/parse-server/pull/10348
5
reference_url https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21
reference_id 90802969fc713b7bc9733d7255c7519a6ed75d21
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/
url https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21
6
reference_url https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777
reference_id ebccd7fe2708007e62f705ee1c820a6766178777
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/
url https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777
7
reference_url https://github.com/advisories/GHSA-f6j3-w9v3-cq22
reference_id GHSA-f6j3-w9v3-cq22
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f6j3-w9v3-cq22
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22
reference_id GHSA-f6j3-w9v3-cq22
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.14
purl pkg:npm/parse-server@9.7.0-alpha.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-cbrh-vg1p-3ua7
2
vulnerability VCID-dhkw-d15h-rkb5
3
vulnerability VCID-dyd6-6yy1-hyhn
4
vulnerability VCID-nt51-v9gk-w3e8
5
vulnerability VCID-vmwk-3myb-u7ds
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14
aliases CVE-2026-34574, GHSA-f6j3-w9v3-cq22
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7p-maf1-eyhq
14
url VCID-mxgt-92ep-73fj
vulnerability_id VCID-mxgt-92ep-73fj
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33538
reference_id
reference_type
scores
0
value 0.00142
scoring_system epss
scoring_elements 0.34156
published_at 2026-06-11T12:55:00Z
1
value 0.00142
scoring_system epss
scoring_elements 0.34337
published_at 2026-06-14T12:55:00Z
2
value 0.00142
scoring_system epss
scoring_elements 0.34358
published_at 2026-06-13T12:55:00Z
3
value 0.00142
scoring_system epss
scoring_elements 0.34333
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33538
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33538
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33538
3
reference_url https://github.com/parse-community/parse-server/pull/10270
reference_id 10270
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/
url https://github.com/parse-community/parse-server/pull/10270
4
reference_url https://github.com/parse-community/parse-server/pull/10271
reference_id 10271
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/
url https://github.com/parse-community/parse-server/pull/10271
5
reference_url https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
reference_id 40eb442e02672986730007d0a1edb22c1c4bd357
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/
url https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
6
reference_url https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
reference_id fbac847499e57f243315c5fc7135be1d58bb8e54
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/
url https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
7
reference_url https://github.com/advisories/GHSA-g4cf-xj29-wqqr
reference_id GHSA-g4cf-xj29-wqqr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g4cf-xj29-wqqr
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
reference_id GHSA-g4cf-xj29-wqqr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.52
purl pkg:npm/parse-server@9.6.0-alpha.52
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mm7p-maf1-eyhq
10
vulnerability VCID-n4s7-6vvk-skfz
11
vulnerability VCID-nqev-h9w8-pudy
12
vulnerability VCID-nt51-v9gk-w3e8
13
vulnerability VCID-vmwk-3myb-u7ds
14
vulnerability VCID-wqxc-qnu8-q7d7
15
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52
aliases CVE-2026-33538, GHSA-g4cf-xj29-wqqr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mxgt-92ep-73fj
15
url VCID-n4s7-6vvk-skfz
vulnerability_id VCID-n4s7-6vvk-skfz
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34573
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05341
published_at 2026-06-11T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05343
published_at 2026-06-14T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05353
published_at 2026-06-13T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05359
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34573
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34573
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34573
3
reference_url https://github.com/parse-community/parse-server/pull/10344
reference_id 10344
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/
url https://github.com/parse-community/parse-server/pull/10344
4
reference_url https://github.com/parse-community/parse-server/pull/10345
reference_id 10345
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/
url https://github.com/parse-community/parse-server/pull/10345
5
reference_url https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
reference_id ea15412795f34594cc8a674fe858d445675e0295
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/
url https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
6
reference_url https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
reference_id f759bda075298ec44e2b4fb57659a0c56620483b
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/
url https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
7
reference_url https://github.com/advisories/GHSA-mfj6-6p54-m98c
reference_id GHSA-mfj6-6p54-m98c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mfj6-6p54-m98c
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
reference_id GHSA-mfj6-6p54-m98c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.12
purl pkg:npm/parse-server@9.7.0-alpha.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-cbrh-vg1p-3ua7
2
vulnerability VCID-dhkw-d15h-rkb5
3
vulnerability VCID-dyd6-6yy1-hyhn
4
vulnerability VCID-mm7p-maf1-eyhq
5
vulnerability VCID-nt51-v9gk-w3e8
6
vulnerability VCID-vmwk-3myb-u7ds
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12
aliases CVE-2026-34573, GHSA-mfj6-6p54-m98c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n4s7-6vvk-skfz
16
url VCID-n5mt-eebx-zbcf
vulnerability_id VCID-n5mt-eebx-zbcf
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33421
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01788
published_at 2026-06-13T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01795
published_at 2026-06-14T12:55:00Z
2
value 0.00012
scoring_system epss
scoring_elements 0.01781
published_at 2026-06-11T12:55:00Z
3
value 0.00012
scoring_system epss
scoring_elements 0.01786
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33421
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33421
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33421
3
reference_url https://github.com/parse-community/parse-server/pull/10250
reference_id 10250
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/
url https://github.com/parse-community/parse-server/pull/10250
4
reference_url https://github.com/parse-community/parse-server/pull/10252
reference_id 10252
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/
url https://github.com/parse-community/parse-server/pull/10252
5
reference_url https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea
reference_id 6c3317aca6eb618ac48f999021ae3ef7766ad1ea
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/
url https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea
6
reference_url https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee
reference_id 976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/
url https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee
7
reference_url https://github.com/advisories/GHSA-fph2-r4qg-9576
reference_id GHSA-fph2-r4qg-9576
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fph2-r4qg-9576
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576
reference_id GHSA-fph2-r4qg-9576
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.42
purl pkg:npm/parse-server@9.6.0-alpha.42
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mdgb-p4u1-uud5
10
vulnerability VCID-mm7p-maf1-eyhq
11
vulnerability VCID-mxgt-92ep-73fj
12
vulnerability VCID-n4s7-6vvk-skfz
13
vulnerability VCID-nqev-h9w8-pudy
14
vulnerability VCID-nt51-v9gk-w3e8
15
vulnerability VCID-vmwk-3myb-u7ds
16
vulnerability VCID-wqxc-qnu8-q7d7
17
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42
aliases CVE-2026-33421, GHSA-fph2-r4qg-9576
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mt-eebx-zbcf
17
url VCID-nqev-h9w8-pudy
vulnerability_id VCID-nqev-h9w8-pudy
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33627
reference_id
reference_type
scores
0
value 0.00039
scoring_system epss
scoring_elements 0.12016
published_at 2026-06-11T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.12088
published_at 2026-06-14T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.12109
published_at 2026-06-13T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.12108
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33627
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33627
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33627
3
reference_url https://github.com/parse-community/parse-server/pull/10278
reference_id 10278
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/
url https://github.com/parse-community/parse-server/pull/10278
4
reference_url https://github.com/parse-community/parse-server/pull/10279
reference_id 10279
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/
url https://github.com/parse-community/parse-server/pull/10279
5
reference_url https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c
reference_id 5b8998e6866bcf75be7b5bb625e27d23bfaf912c
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/
url https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c
6
reference_url https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f
reference_id 875cf10ac979bd60f70e7a0c534e2bc194d6982f
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/
url https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f
7
reference_url https://github.com/advisories/GHSA-37mj-c2wf-cx96
reference_id GHSA-37mj-c2wf-cx96
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-37mj-c2wf-cx96
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96
reference_id GHSA-37mj-c2wf-cx96
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.55
purl pkg:npm/parse-server@9.6.0-alpha.55
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-49m3-j488-yqes
2
vulnerability VCID-7jbf-hw56-9bcx
3
vulnerability VCID-cbrh-vg1p-3ua7
4
vulnerability VCID-dhkw-d15h-rkb5
5
vulnerability VCID-dyd6-6yy1-hyhn
6
vulnerability VCID-gngn-8vy6-bkg7
7
vulnerability VCID-hs5q-jk5r-7ya8
8
vulnerability VCID-mm7p-maf1-eyhq
9
vulnerability VCID-n4s7-6vvk-skfz
10
vulnerability VCID-nt51-v9gk-w3e8
11
vulnerability VCID-vmwk-3myb-u7ds
12
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55
aliases CVE-2026-33627, GHSA-37mj-c2wf-cx96
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nqev-h9w8-pudy
18
url VCID-nt51-v9gk-w3e8
vulnerability_id VCID-nt51-v9gk-w3e8
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-35200
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09965
published_at 2026-06-11T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.10014
published_at 2026-06-12T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11654
published_at 2026-06-14T12:55:00Z
3
value 0.00038
scoring_system epss
scoring_elements 0.11677
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-35200
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-35200
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-35200
3
reference_url https://github.com/parse-community/parse-server/pull/10383
reference_id 10383
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/
url https://github.com/parse-community/parse-server/pull/10383
4
reference_url https://github.com/parse-community/parse-server/pull/10384
reference_id 10384
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/
url https://github.com/parse-community/parse-server/pull/10384
5
reference_url https://github.com/advisories/GHSA-vr5f-2r24-w5hc
reference_id GHSA-vr5f-2r24-w5hc
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vr5f-2r24-w5hc
6
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
reference_id GHSA-vr5f-2r24-w5hc
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
fixed_packages
0
url pkg:npm/parse-server@9.7.1-alpha.4
purl pkg:npm/parse-server@9.7.1-alpha.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-dhkw-d15h-rkb5
2
vulnerability VCID-dyd6-6yy1-hyhn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4
aliases CVE-2026-35200, GHSA-vr5f-2r24-w5hc
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nt51-v9gk-w3e8
19
url VCID-q59u-ywkn-wbfw
vulnerability_id VCID-q59u-ywkn-wbfw
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33498
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06091
published_at 2026-06-11T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06094
published_at 2026-06-14T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06105
published_at 2026-06-13T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06111
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33498
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33498
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33498
3
reference_url https://github.com/parse-community/parse-server/pull/10257
reference_id 10257
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/
url https://github.com/parse-community/parse-server/pull/10257
4
reference_url https://github.com/parse-community/parse-server/pull/10258
reference_id 10258
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/
url https://github.com/parse-community/parse-server/pull/10258
5
reference_url https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5
reference_id 2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/
url https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5
6
reference_url https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1
reference_id 85994eff9e7b34cac7e1a2f5791985022a1461d1
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/
url https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1
7
reference_url https://github.com/advisories/GHSA-9fjp-q3c4-6w3j
reference_id GHSA-9fjp-q3c4-6w3j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9fjp-q3c4-6w3j
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j
reference_id GHSA-9fjp-q3c4-6w3j
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.44
purl pkg:npm/parse-server@9.6.0-alpha.44
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mdgb-p4u1-uud5
10
vulnerability VCID-mm7p-maf1-eyhq
11
vulnerability VCID-mxgt-92ep-73fj
12
vulnerability VCID-n4s7-6vvk-skfz
13
vulnerability VCID-nqev-h9w8-pudy
14
vulnerability VCID-nt51-v9gk-w3e8
15
vulnerability VCID-vmwk-3myb-u7ds
16
vulnerability VCID-wqxc-qnu8-q7d7
17
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44
aliases CVE-2026-33498, GHSA-9fjp-q3c4-6w3j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q59u-ywkn-wbfw
20
url VCID-tuts-aegs-r7e7
vulnerability_id VCID-tuts-aegs-r7e7
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33508
reference_id
reference_type
scores
0
value 0.00065
scoring_system epss
scoring_elements 0.20667
published_at 2026-06-13T12:55:00Z
1
value 0.00065
scoring_system epss
scoring_elements 0.20646
published_at 2026-06-14T12:55:00Z
2
value 0.00065
scoring_system epss
scoring_elements 0.20468
published_at 2026-06-11T12:55:00Z
3
value 0.00065
scoring_system epss
scoring_elements 0.20645
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33508
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33508
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33508
3
reference_url https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
reference_id 060d27053fb0fadf613c25aabab7fe0c82b7a899
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/
url https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
4
reference_url https://github.com/parse-community/parse-server/pull/10259
reference_id 10259
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/
url https://github.com/parse-community/parse-server/pull/10259
5
reference_url https://github.com/parse-community/parse-server/pull/10260
reference_id 10260
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/
url https://github.com/parse-community/parse-server/pull/10260
6
reference_url https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
reference_id 2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/
url https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
7
reference_url https://github.com/advisories/GHSA-6qh5-m6g3-xhq6
reference_id GHSA-6qh5-m6g3-xhq6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qh5-m6g3-xhq6
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
reference_id GHSA-6qh5-m6g3-xhq6
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.45
purl pkg:npm/parse-server@9.6.0-alpha.45
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mdgb-p4u1-uud5
10
vulnerability VCID-mm7p-maf1-eyhq
11
vulnerability VCID-mxgt-92ep-73fj
12
vulnerability VCID-n4s7-6vvk-skfz
13
vulnerability VCID-nqev-h9w8-pudy
14
vulnerability VCID-nt51-v9gk-w3e8
15
vulnerability VCID-vmwk-3myb-u7ds
16
vulnerability VCID-wqxc-qnu8-q7d7
17
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45
aliases CVE-2026-33508, GHSA-6qh5-m6g3-xhq6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tuts-aegs-r7e7
21
url VCID-vmwk-3myb-u7ds
vulnerability_id VCID-vmwk-3myb-u7ds
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34784
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03955
published_at 2026-06-11T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.0396
published_at 2026-06-13T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.03971
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34784
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34784
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34784
3
reference_url https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337
reference_id 053109b3ee71815bc39ed84116c108ff9edbf337
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/
url https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337
4
reference_url https://github.com/parse-community/parse-server/pull/10361
reference_id 10361
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/
url https://github.com/parse-community/parse-server/pull/10361
5
reference_url https://github.com/parse-community/parse-server/pull/10362
reference_id 10362
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/
url https://github.com/parse-community/parse-server/pull/10362
6
reference_url https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22
reference_id a0b0c69fc44f87f80d793d257344e7dcbf676e22
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/
url https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22
7
reference_url https://github.com/advisories/GHSA-hpm8-9qx6-jvwv
reference_id GHSA-hpm8-9qx6-jvwv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hpm8-9qx6-jvwv
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
reference_id GHSA-hpm8-9qx6-jvwv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
fixed_packages
0
url pkg:npm/parse-server@9.7.1-alpha.1
purl pkg:npm/parse-server@9.7.1-alpha.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-dhkw-d15h-rkb5
2
vulnerability VCID-dyd6-6yy1-hyhn
3
vulnerability VCID-nt51-v9gk-w3e8
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1
aliases CVE-2026-34784, GHSA-hpm8-9qx6-jvwv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vmwk-3myb-u7ds
22
url VCID-wqxc-qnu8-q7d7
vulnerability_id VCID-wqxc-qnu8-q7d7
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33539
reference_id
reference_type
scores
0
value 0.00024
scoring_system epss
scoring_elements 0.07139
published_at 2026-06-11T12:55:00Z
1
value 0.00024
scoring_system epss
scoring_elements 0.07161
published_at 2026-06-14T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.07172
published_at 2026-06-12T12:55:00Z
3
value 0.00024
scoring_system epss
scoring_elements 0.07166
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33539
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33539
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33539
3
reference_url https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
reference_id 03249f9bf5b8783c8b848f84dab791ff0b761b8c
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/
url https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
4
reference_url https://github.com/parse-community/parse-server/pull/10272
reference_id 10272
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/
url https://github.com/parse-community/parse-server/pull/10272
5
reference_url https://github.com/parse-community/parse-server/pull/10273
reference_id 10273
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/
url https://github.com/parse-community/parse-server/pull/10273
6
reference_url https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
reference_id bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/
url https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
7
reference_url https://github.com/advisories/GHSA-p2w6-rmh7-w8q3
reference_id GHSA-p2w6-rmh7-w8q3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p2w6-rmh7-w8q3
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
reference_id GHSA-p2w6-rmh7-w8q3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
fixed_packages
0
url pkg:npm/parse-server@9.6.0-alpha.53
purl pkg:npm/parse-server@9.6.0-alpha.53
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-2rxm-qxur-9ygu
2
vulnerability VCID-49m3-j488-yqes
3
vulnerability VCID-7jbf-hw56-9bcx
4
vulnerability VCID-cbrh-vg1p-3ua7
5
vulnerability VCID-dhkw-d15h-rkb5
6
vulnerability VCID-dyd6-6yy1-hyhn
7
vulnerability VCID-gngn-8vy6-bkg7
8
vulnerability VCID-hs5q-jk5r-7ya8
9
vulnerability VCID-mm7p-maf1-eyhq
10
vulnerability VCID-n4s7-6vvk-skfz
11
vulnerability VCID-nqev-h9w8-pudy
12
vulnerability VCID-nt51-v9gk-w3e8
13
vulnerability VCID-vmwk-3myb-u7ds
14
vulnerability VCID-zx4t-zth8-7fe5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53
aliases CVE-2026-33539, GHSA-p2w6-rmh7-w8q3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wqxc-qnu8-q7d7
23
url VCID-zx4t-zth8-7fe5
vulnerability_id VCID-zx4t-zth8-7fe5
summary Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34532
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13654
published_at 2026-06-11T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13742
published_at 2026-06-14T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13772
published_at 2026-06-12T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13771
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34532
1
reference_url https://github.com/parse-community/parse-server
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/parse-community/parse-server
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34532
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34532
3
reference_url https://github.com/parse-community/parse-server/pull/10342
reference_id 10342
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/
url https://github.com/parse-community/parse-server/pull/10342
4
reference_url https://github.com/parse-community/parse-server/pull/10343
reference_id 10343
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/
url https://github.com/parse-community/parse-server/pull/10343
5
reference_url https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7
reference_id 4fc48cf28f22eea200d74d883505f485234a48d7
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/
url https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7
6
reference_url https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674
reference_id dc59e272665644083c5b7f6862d88ce1ef0b2674
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/
url https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674
7
reference_url https://github.com/advisories/GHSA-vpj2-qq7w-5qq6
reference_id GHSA-vpj2-qq7w-5qq6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vpj2-qq7w-5qq6
8
reference_url https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6
reference_id GHSA-vpj2-qq7w-5qq6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/
url https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6
fixed_packages
0
url pkg:npm/parse-server@9.7.0-alpha.11
purl pkg:npm/parse-server@9.7.0-alpha.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-14fp-bjdd-uffh
1
vulnerability VCID-cbrh-vg1p-3ua7
2
vulnerability VCID-dhkw-d15h-rkb5
3
vulnerability VCID-dyd6-6yy1-hyhn
4
vulnerability VCID-mm7p-maf1-eyhq
5
vulnerability VCID-n4s7-6vvk-skfz
6
vulnerability VCID-nt51-v9gk-w3e8
7
vulnerability VCID-vmwk-3myb-u7ds
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11
aliases CVE-2026-34532, GHSA-vpj2-qq7w-5qq6
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zx4t-zth8-7fe5
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.38