Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-r432-uepe-vuah
Vulnerability ID VCID-r432-uepe-vuah
Aliases CVE-2026-30939
GHSA-5j86-7r7m-p8h6
Summary Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00181 https://api.first.org/data/v1/epss?cve=CVE-2026-30939
epss 0.00181 https://api.first.org/data/v1/epss?cve=CVE-2026-30939
epss 0.00181 https://api.first.org/data/v1/epss?cve=CVE-2026-30939
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5j86-7r7m-p8h6
cvssv4 8.8 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 8.8 https://github.com/parse-community/parse-server/releases/tag/8.6.13
generic_textual HIGH https://github.com/parse-community/parse-server/releases/tag/8.6.13
ssvc Track https://github.com/parse-community/parse-server/releases/tag/8.6.13
cvssv4 8.8 https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
generic_textual HIGH https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
ssvc Track https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
cvssv4 8.8 https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
cvssv4 8.8 https://nvd.nist.gov/vuln/detail/CVE-2026-30939
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-30939
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-30939
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/releases/tag/8.6.13
https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
CVE-2026-30939 https://nvd.nist.gov/vuln/detail/CVE-2026-30939
GHSA-5j86-7r7m-p8h6 https://github.com/advisories/GHSA-5j86-7r7m-p8h6
GHSA-5j86-7r7m-p8h6 https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/releases/tag/8.6.13
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/ Found at https://github.com/parse-community/parse-server/releases/tag/8.6.13
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/ Found at https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-30939
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.39652
EPSS Score 0.00181
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:51:33.855733+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-30939.yml 38.6.0