VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-317s-e13x-k3ct

Essentials
Severities (20)
References (9)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-317s-e13x-k3ct
Aliases	CVE-2022-41878 GHSA-xprv-wvh7-qqqx GMS-2022-6626
Summary	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00542	https://api.first.org/data/v1/epss?cve=CVE-2022-41878
epss	0.00542	https://api.first.org/data/v1/epss?cve=CVE-2022-41878
epss	0.00542	https://api.first.org/data/v1/epss?cve=CVE-2022-41878
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-xprv-wvh7-qqqx
cvssv3.1	7.2	https://github.com/parse-community/parse-server
generic_textual	HIGH	https://github.com/parse-community/parse-server
cvssv3.1	7.2	https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3
cvssv3.1	7.2	https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f
cvssv3.1	7.2	https://github.com/parse-community/parse-server/pull/8301
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/8301
cvssv3.1	7.2	https://github.com/parse-community/parse-server/pull/8302
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/8302
cvssv3.1	7.2	https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
cvssv3.1_qr	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
generic_textual	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
ssvc	Track	https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
cvssv3.1	7.2	https://nvd.nist.gov/vuln/detail/CVE-2022-41878
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-41878

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-41878
		https://github.com/parse-community/parse-server
		https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3
		https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f
		https://github.com/parse-community/parse-server/pull/8301
		https://github.com/parse-community/parse-server/pull/8302
CVE-2022-41878		https://nvd.nist.gov/vuln/detail/CVE-2022-41878
GHSA-xprv-wvh7-qqqx		https://github.com/advisories/GHSA-xprv-wvh7-qqqx
GHSA-xprv-wvh7-qqqx		https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server/pull/8301

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server/pull/8302

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:49Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41878

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.68155
EPSS Score	0.00542
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:40:54.496212+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/41xxx/CVE-2022-41878.json	38.6.0