Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-67gc-6w6e-rkcg
Vulnerability ID VCID-67gc-6w6e-rkcg
Aliases CVE-2026-30848
GHSA-hm3f-q6rw-m6wh
Summary Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`). This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory name.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-30848
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-30848
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-30848
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hm3f-q6rw-m6wh
cvssv4 6.3 https://github.com/parse-community/parse-server
generic_textual MODERATE https://github.com/parse-community/parse-server
cvssv3.1_qr MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
cvssv4 6.3 https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
generic_textual MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
cvssv4 6.3 https://nvd.nist.gov/vuln/detail/CVE-2026-30848
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-30848
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-30848
https://github.com/parse-community/parse-server
CVE-2026-30848 https://nvd.nist.gov/vuln/detail/CVE-2026-30848
GHSA-hm3f-q6rw-m6wh https://github.com/advisories/GHSA-hm3f-q6rw-m6wh
GHSA-hm3f-q6rw-m6wh https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:49Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-30848
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06489
EPSS Score 0.00022
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:51:27.427770+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-30848.yml 38.6.0