Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-faws-rh1j-tba1
Vulnerability ID VCID-faws-rh1j-tba1
Aliases CVE-2026-32886
GHSA-4263-jgmp-7pf4
Summary Parse Server's Cloud function dispatch crashes server via prototype chain traversal ### Impact Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. ### Patches The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. ### Workarounds There is no known workaround.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-32886
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-32886
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-4263-jgmp-7pf4
cvssv4 8.2 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10210
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10210
ssvc Track https://github.com/parse-community/parse-server/pull/10210
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10211
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10211
ssvc Track https://github.com/parse-community/parse-server/pull/10211
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
cvssv4 8.2 https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
cvssv4 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-32886
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-32886
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-32886
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/pull/10210
https://github.com/parse-community/parse-server/pull/10211
https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
https://nvd.nist.gov/vuln/detail/CVE-2026-32886
GHSA-4263-jgmp-7pf4 https://github.com/advisories/GHSA-4263-jgmp-7pf4
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10210
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/ Found at https://github.com/parse-community/parse-server/pull/10210
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10211
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/ Found at https://github.com/parse-community/parse-server/pull/10211
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32886
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09562
EPSS Score 0.00031
Published At June 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:58:28.413175+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4263-jgmp-7pf4/GHSA-4263-jgmp-7pf4.json 38.6.0