Search

Find a vulnerability

Search criteria

    246 vulnerabilities by parse-community

    CVE-2026-61448 (GCVE-0-2026-61448)

    Vulnerability from nvd – Published: 2026-07-11 13:01 – Updated: 2026-07-14 22:03
    VLAI
    Title
    Parse Server 9.0.0 Stored XSS via malformed Content-Type
    Summary
    Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., 'image', 'image/', or 'image//svg+xml') bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application's origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 9.0.0 , < 9.10.0-alpha.2 (semver)
    Unaffected: 9.10.0-alpha.2 (semver)
    Create a notification for this product.
    parse-community parse-server Affected: 0 , < 8.6.84 (semver)
    Unaffected: 8.6.84 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    CyberKareem mtrezza
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-61448",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T16:09:47.693724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T16:09:53.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "9.10.0-alpha.2",
                  "status": "affected",
                  "version": "9.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "9.10.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "8.6.84",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.6.84",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "9.10.0-alpha.2",
                      "versionStartIncluding": "9.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "8.6.84",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "CyberKareem"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "mtrezza"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions \u003e= 9.0.0, \u003c 9.10.0-alpha.2 and \u003c= 8.6.83. When an uploaded file\u0027s extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., \u0027image\u0027, \u0027image/\u0027, or \u0027image//svg+xml\u0027) bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application\u0027s origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T22:03:36.889Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r899-h629-j84r)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r899-h629-j84r"
            },
            {
              "name": "VulnCheck Advisory: Parse Server 9.0.0 Stored XSS via malformed Content-Type",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-stored-xss-via-malformed-content-type"
            }
          ],
          "title": "Parse Server 9.0.0 Stored XSS via malformed Content-Type",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61448",
        "datePublished": "2026-07-11T13:01:05.852Z",
        "dateReserved": "2026-07-09T14:06:14.016Z",
        "dateUpdated": "2026-07-14T22:03:36.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57481 (GCVE-0-2026-57481)

    Vulnerability from nvd – Published: 2026-07-08 20:54 – Updated: 2026-07-10 14:14
    VLAI
    Title
    Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.13
    Affected: < 8.6.83
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57481",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:14:06.415177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:14:39.740Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.83"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber\u0027s ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:54:55.923Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10515",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10515"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10516",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10516"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/c9b24cecfee76d8563019adaacbcbd78471dc41e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/c9b24cecfee76d8563019adaacbcbd78471dc41e"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/e9c85dfe40a866a55ebae3b6ae56285ac0a22e64",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/e9c85dfe40a866a55ebae3b6ae56285ac0a22e64"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.83",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.83"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.13"
            }
          ],
          "source": {
            "advisory": "GHSA-97pr-9hgg-3p8r",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57481",
        "datePublished": "2026-07-08T20:54:55.923Z",
        "dateReserved": "2026-06-24T14:53:40.110Z",
        "dateUpdated": "2026-07-10T14:14:39.740Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57480 (GCVE-0-2026-57480)

    Vulnerability from nvd – Published: 2026-07-08 20:53 – Updated: 2026-07-09 13:43
    VLAI
    Title
    Parse Server: Denial of service via exponential-time processing of deeply nested query operators
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.12
    Affected: < 8.6.82
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:43:00.734926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:43:23.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.12"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.82"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:53:21.307Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10511",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10511"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10512",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10512"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/1103c7a890e0455ba3dccd4bc5db17efe1789c9a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/1103c7a890e0455ba3dccd4bc5db17efe1789c9a"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.82"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.12"
            }
          ],
          "source": {
            "advisory": "GHSA-cgxm-vr2f-6fj8",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Denial of service via exponential-time processing of deeply nested query operators"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57480",
        "datePublished": "2026-07-08T20:53:21.307Z",
        "dateReserved": "2026-06-24T14:53:40.110Z",
        "dateUpdated": "2026-07-09T13:43:23.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55778 (GCVE-0-2026-55778)

    Vulnerability from nvd – Published: 2026-07-08 20:50 – Updated: 2026-07-09 13:39
    VLAI
    Title
    Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.11
    Affected: < 8.6.81
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55778",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:39:32.908358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:39:44.881Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.11"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.81"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:50:52.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10505",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10505"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10506",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10506"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/97c6a78d19f976ec756c1295f08a8fccab90799a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/97c6a78d19f976ec756c1295f08a8fccab90799a"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/be12a60d65b6e140481882037fb896b1f951df50",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/be12a60d65b6e140481882037fb896b1f951df50"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.81"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.11"
            }
          ],
          "source": {
            "advisory": "GHSA-v8x7-r927-cc93",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55778",
        "datePublished": "2026-07-08T20:50:52.531Z",
        "dateReserved": "2026-06-17T14:40:28.379Z",
        "dateUpdated": "2026-07-09T13:39:44.881Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47987 (GCVE-0-2021-47987)

    Vulnerability from nvd – Published: 2026-06-25 21:41 – Updated: 2026-06-26 18:42
    VLAI
    Title
    Parse Server - Arbitrary Code Execution via Malicious Version Tags
    Summary
    Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 0 , < 4.10.0 (semver)
    Unaffected: 4.10.0 (semver)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:14:35.071501Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:42:21.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "4.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T21:41:02.187Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-593v-wcqx-hq2w)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w"
            },
            {
              "name": "VulnCheck Advisory: Parse Server - Arbitrary Code Execution via Malicious Version Tags",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-arbitrary-code-execution-via-malicious-version-tags"
            }
          ],
          "title": "Parse Server - Arbitrary Code Execution via Malicious Version Tags",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47987",
        "datePublished": "2026-06-25T21:41:02.187Z",
        "dateReserved": "2026-06-21T02:08:33.232Z",
        "dateUpdated": "2026-06-26T18:42:21.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47986 (GCVE-0-2021-47986)

    Vulnerability from nvd – Published: 2026-06-25 21:41 – Updated: 2026-06-26 10:38
    VLAI
    Title
    Parse Server - Unreviewed Code Execution via Malicious Version Tags
    Summary
    Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 0 , < 4.10.0 (semver)
    Unaffected: 4.10.0 (semver)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47986",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T10:37:50.846778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T10:38:03.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "4.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T21:41:01.502Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-593v-wcqx-hq2w)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w"
            },
            {
              "name": "VulnCheck Advisory: Parse Server - Unreviewed Code Execution via Malicious Version Tags",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-unreviewed-code-execution-via-malicious-version-tags"
            }
          ],
          "title": "Parse Server - Unreviewed Code Execution via Malicious Version Tags",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47986",
        "datePublished": "2026-06-25T21:41:01.502Z",
        "dateReserved": "2026-06-21T02:08:33.231Z",
        "dateUpdated": "2026-06-26T10:38:03.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53726 (GCVE-0-2026-53726)

    Vulnerability from nvd – Published: 2026-06-12 18:37 – Updated: 2026-06-12 18:57
    VLAI
    Title
    Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.80
    Affected: >= 9.0.0, < 9.9.1-alpha.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53726",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T18:56:52.405145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T18:57:06.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.80"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry \u2014 no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object\u0027s objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle \u2014 confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:37:01.695Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10493",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10493"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10494",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10494"
            }
          ],
          "source": {
            "advisory": "GHSA-wmwx-jr2p-4j4r",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53726",
        "datePublished": "2026-06-12T18:37:01.695Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-12T18:57:06.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53725 (GCVE-0-2026-53725)

    Vulnerability from nvd – Published: 2026-06-12 18:35 – Updated: 2026-06-13 03:27
    VLAI
    Title
    Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.8.0, < 9.9.1-alpha.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53725",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-13T03:27:05.665305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-13T03:27:16.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8.0, \u003c 9.9.1-alpha.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim\u0027s password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:35:45.906Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-75v4-m273-5j49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-75v4-m273-5j49"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10492",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10492"
            }
          ],
          "source": {
            "advisory": "GHSA-75v4-m273-5j49",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53725",
        "datePublished": "2026-06-12T18:35:45.906Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-13T03:27:16.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53724 (GCVE-0-2026-53724)

    Vulnerability from nvd – Published: 2026-06-12 18:34 – Updated: 2026-06-12 20:01
    VLAI
    Title
    Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.79
    Affected: >= 9.0.0, < 9.9.1-alpha.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53724",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T19:03:39.906463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T20:01:13.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.79"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:34:38.237Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7wqv-xjf3-x35v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7wqv-xjf3-x35v"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10489",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10489"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10490",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10490"
            }
          ],
          "source": {
            "advisory": "GHSA-7wqv-xjf3-x35v",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53724",
        "datePublished": "2026-06-12T18:34:38.237Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-12T20:01:13.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50008 (GCVE-0-2026-50008)

    Vulnerability from nvd – Published: 2026-06-12 18:22 – Updated: 2026-06-12 19:00
    VLAI
    Title
    Parse Server: Server option routeAllowList is bypassable through batch sub-requests
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.8.0, < 9.9.1-alpha.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50008",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T19:00:45.285194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T19:00:55.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8.0, \u003c 9.9.1-alpha.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply \u2014 only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:22:44.188Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10482",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10482"
            }
          ],
          "source": {
            "advisory": "GHSA-p84r-h6rx-f2xr",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Server option routeAllowList is bypassable through batch sub-requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50008",
        "datePublished": "2026-06-12T18:22:44.188Z",
        "dateReserved": "2026-06-02T22:46:02.578Z",
        "dateUpdated": "2026-06-12T19:00:55.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47248 (GCVE-0-2026-47248)

    Vulnerability from nvd – Published: 2026-06-12 18:21 – Updated: 2026-06-12 20:04
    VLAI
    Title
    Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.78
    Affected: >= 9.0.0, < 9.9.1-alpha.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47248",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T20:04:32.992755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T20:04:40.587Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.78"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server\u0027s GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:21:31.511Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10467",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10467"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10468",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10468"
            }
          ],
          "source": {
            "advisory": "GHSA-8cph-rgr4-g5vj",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: GraphQL \"Did you mean\" validation suggestions disclose schema to unauthenticated callers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47248",
        "datePublished": "2026-06-12T18:21:31.511Z",
        "dateReserved": "2026-05-18T22:54:18.272Z",
        "dateUpdated": "2026-06-12T20:04:40.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47138 (GCVE-0-2026-47138)

    Vulnerability from nvd – Published: 2026-06-12 18:22 – Updated: 2026-06-12 18:56
    VLAI
    Title
    Parse Server: Pre-authentication denial of service via client version header regex backtracking
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.77
    Affected: >= 9.0.0, < 9.9.1-alpha.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47138",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T18:56:09.032234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T18:56:14.419Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.77"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:22:02.751Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10463",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10463"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10464",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10464"
            }
          ],
          "source": {
            "advisory": "GHSA-38m6-82c8-4xfm",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Pre-authentication denial of service via client version header regex backtracking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47138",
        "datePublished": "2026-06-12T18:22:02.751Z",
        "dateReserved": "2026-05-18T19:50:18.696Z",
        "dateUpdated": "2026-06-12T18:56:14.419Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-43930 (GCVE-0-2026-43930)

    Vulnerability from nvd – Published: 2026-05-12 13:34 – Updated: 2026-05-13 14:27
    VLAI
    Title
    Parse Server: MFA SMS one-time password accepted twice under concurrent login
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.9.0-alpha.2
    Affected: < 8.6.76
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-43930",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T14:27:09.122314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T14:27:47.599Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.0-alpha.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.76"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim\u0027s password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T13:34:50.567Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10448",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10448"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10449",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10449"
            }
          ],
          "source": {
            "advisory": "GHSA-jpq4-7fmq-q5fj",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: MFA SMS one-time password accepted twice under concurrent login"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-43930",
        "datePublished": "2026-05-12T13:34:50.567Z",
        "dateReserved": "2026-05-04T16:59:09.089Z",
        "dateUpdated": "2026-05-13T14:27:47.599Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39381 (GCVE-0-2026-39381)

    Vulnerability from nvd – Published: 2026-04-07 19:51 – Updated: 2026-04-07 20:23
    VLAI
    Title
    Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.8.0-alpha.7
    Affected: >= 7.0.0, < 8.6.75
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:23:25.561431Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:23:31.190Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.8.0-alpha.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 8.6.75"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session\u0027s protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:51:03.479Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10406",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10406"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10407",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10407"
            }
          ],
          "source": {
            "advisory": "GHSA-g4v2-qx3q-4p64",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server\u0027s Endpoint `/sessions/me` bypasses `_Session` `protectedFields`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39381",
        "datePublished": "2026-04-07T19:51:03.479Z",
        "dateReserved": "2026-04-06T22:06:40.515Z",
        "dateUpdated": "2026-04-07T20:23:31.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39321 (GCVE-0-2026-39321)

    Vulnerability from nvd – Published: 2026-04-07 18:11 – Updated: 2026-04-07 19:58
    VLAI
    Title
    Parse Server has a login timing side-channel reveals user existence
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.8.0-alpha.6
    Affected: < 8.6.74
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T18:44:58.116800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T19:58:57.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.8.0-alpha.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.74"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208: Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T18:11:10.514Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10398",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10398"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10399",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10399"
            }
          ],
          "source": {
            "advisory": "GHSA-mmpq-5hcv-hf2v",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server has a login timing side-channel reveals user existence"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39321",
        "datePublished": "2026-04-07T18:11:10.514Z",
        "dateReserved": "2026-04-06T19:31:07.266Z",
        "dateUpdated": "2026-04-07T19:58:57.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-61448 (GCVE-0-2026-61448)

    Vulnerability from cvelistv5 – Published: 2026-07-11 13:01 – Updated: 2026-07-14 22:03
    VLAI
    Title
    Parse Server 9.0.0 Stored XSS via malformed Content-Type
    Summary
    Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., 'image', 'image/', or 'image//svg+xml') bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application's origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 9.0.0 , < 9.10.0-alpha.2 (semver)
    Unaffected: 9.10.0-alpha.2 (semver)
    Create a notification for this product.
    parse-community parse-server Affected: 0 , < 8.6.84 (semver)
    Unaffected: 8.6.84 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    CyberKareem mtrezza
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-61448",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T16:09:47.693724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T16:09:53.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "9.10.0-alpha.2",
                  "status": "affected",
                  "version": "9.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "9.10.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "8.6.84",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "8.6.84",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "9.10.0-alpha.2",
                      "versionStartIncluding": "9.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "8.6.84",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "CyberKareem"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "mtrezza"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions \u003e= 9.0.0, \u003c 9.10.0-alpha.2 and \u003c= 8.6.83. When an uploaded file\u0027s extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., \u0027image\u0027, \u0027image/\u0027, or \u0027image//svg+xml\u0027) bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application\u0027s origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T22:03:36.889Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r899-h629-j84r)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r899-h629-j84r"
            },
            {
              "name": "VulnCheck Advisory: Parse Server 9.0.0 Stored XSS via malformed Content-Type",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-stored-xss-via-malformed-content-type"
            }
          ],
          "title": "Parse Server 9.0.0 Stored XSS via malformed Content-Type",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61448",
        "datePublished": "2026-07-11T13:01:05.852Z",
        "dateReserved": "2026-07-09T14:06:14.016Z",
        "dateUpdated": "2026-07-14T22:03:36.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57481 (GCVE-0-2026-57481)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:54 – Updated: 2026-07-10 14:14
    VLAI
    Title
    Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.13
    Affected: < 8.6.83
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57481",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:14:06.415177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:14:39.740Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.13"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.83"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber\u0027s ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:54:55.923Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10515",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10515"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10516",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10516"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/c9b24cecfee76d8563019adaacbcbd78471dc41e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/c9b24cecfee76d8563019adaacbcbd78471dc41e"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/e9c85dfe40a866a55ebae3b6ae56285ac0a22e64",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/e9c85dfe40a866a55ebae3b6ae56285ac0a22e64"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.83",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.83"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.13"
            }
          ],
          "source": {
            "advisory": "GHSA-97pr-9hgg-3p8r",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57481",
        "datePublished": "2026-07-08T20:54:55.923Z",
        "dateReserved": "2026-06-24T14:53:40.110Z",
        "dateUpdated": "2026-07-10T14:14:39.740Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57480 (GCVE-0-2026-57480)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:53 – Updated: 2026-07-09 13:43
    VLAI
    Title
    Parse Server: Denial of service via exponential-time processing of deeply nested query operators
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.12
    Affected: < 8.6.82
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:43:00.734926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:43:23.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.12"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.82"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:53:21.307Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10511",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10511"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10512",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10512"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/1103c7a890e0455ba3dccd4bc5db17efe1789c9a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/1103c7a890e0455ba3dccd4bc5db17efe1789c9a"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.82"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.12"
            }
          ],
          "source": {
            "advisory": "GHSA-cgxm-vr2f-6fj8",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Denial of service via exponential-time processing of deeply nested query operators"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57480",
        "datePublished": "2026-07-08T20:53:21.307Z",
        "dateReserved": "2026-06-24T14:53:40.110Z",
        "dateUpdated": "2026-07-09T13:43:23.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55778 (GCVE-0-2026-55778)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:50 – Updated: 2026-07-09 13:39
    VLAI
    Title
    Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0-alpha.1, < 9.9.1-alpha.11
    Affected: < 8.6.81
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55778",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:39:32.908358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:39:44.881Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0-alpha.1, \u003c 9.9.1-alpha.11"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.81"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:50:52.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10505",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10505"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10506",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10506"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/97c6a78d19f976ec756c1295f08a8fccab90799a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/97c6a78d19f976ec756c1295f08a8fccab90799a"
            },
            {
              "name": "https://github.com/parse-community/parse-server/commit/be12a60d65b6e140481882037fb896b1f951df50",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/commit/be12a60d65b6e140481882037fb896b1f951df50"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.81"
            },
            {
              "name": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.11"
            }
          ],
          "source": {
            "advisory": "GHSA-v8x7-r927-cc93",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55778",
        "datePublished": "2026-07-08T20:50:52.531Z",
        "dateReserved": "2026-06-17T14:40:28.379Z",
        "dateUpdated": "2026-07-09T13:39:44.881Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47987 (GCVE-0-2021-47987)

    Vulnerability from cvelistv5 – Published: 2026-06-25 21:41 – Updated: 2026-06-26 18:42
    VLAI
    Title
    Parse Server - Arbitrary Code Execution via Malicious Version Tags
    Summary
    Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 0 , < 4.10.0 (semver)
    Unaffected: 4.10.0 (semver)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T18:14:35.071501Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T18:42:21.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "4.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T21:41:02.187Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-593v-wcqx-hq2w)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w"
            },
            {
              "name": "VulnCheck Advisory: Parse Server - Arbitrary Code Execution via Malicious Version Tags",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-arbitrary-code-execution-via-malicious-version-tags"
            }
          ],
          "title": "Parse Server - Arbitrary Code Execution via Malicious Version Tags",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47987",
        "datePublished": "2026-06-25T21:41:02.187Z",
        "dateReserved": "2026-06-21T02:08:33.232Z",
        "dateUpdated": "2026-06-26T18:42:21.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47986 (GCVE-0-2021-47986)

    Vulnerability from cvelistv5 – Published: 2026-06-25 21:41 – Updated: 2026-06-26 10:38
    VLAI
    Title
    Parse Server - Unreviewed Code Execution via Malicious Version Tags
    Summary
    Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: 0 , < 4.10.0 (semver)
    Unaffected: 4.10.0 (semver)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47986",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T10:37:50.846778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T10:38:03.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/parse-server",
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "lessThan": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
                      "versionEndExcluding": "4.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T21:41:01.502Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-593v-wcqx-hq2w)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w"
            },
            {
              "name": "VulnCheck Advisory: Parse Server - Unreviewed Code Execution via Malicious Version Tags",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/parse-server-unreviewed-code-execution-via-malicious-version-tags"
            }
          ],
          "title": "Parse Server - Unreviewed Code Execution via Malicious Version Tags",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47986",
        "datePublished": "2026-06-25T21:41:01.502Z",
        "dateReserved": "2026-06-21T02:08:33.231Z",
        "dateUpdated": "2026-06-26T10:38:03.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53726 (GCVE-0-2026-53726)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:37 – Updated: 2026-06-12 18:57
    VLAI
    Title
    Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.80
    Affected: >= 9.0.0, < 9.9.1-alpha.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53726",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T18:56:52.405145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T18:57:06.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.80"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry \u2014 no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object\u0027s objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle \u2014 confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:37:01.695Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10493",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10493"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10494",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10494"
            }
          ],
          "source": {
            "advisory": "GHSA-wmwx-jr2p-4j4r",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53726",
        "datePublished": "2026-06-12T18:37:01.695Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-12T18:57:06.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53725 (GCVE-0-2026-53725)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:35 – Updated: 2026-06-13 03:27
    VLAI
    Title
    Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.8.0, < 9.9.1-alpha.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53725",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-13T03:27:05.665305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-13T03:27:16.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8.0, \u003c 9.9.1-alpha.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim\u0027s password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:35:45.906Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-75v4-m273-5j49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-75v4-m273-5j49"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10492",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10492"
            }
          ],
          "source": {
            "advisory": "GHSA-75v4-m273-5j49",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53725",
        "datePublished": "2026-06-12T18:35:45.906Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-13T03:27:16.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53724 (GCVE-0-2026-53724)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:34 – Updated: 2026-06-12 20:01
    VLAI
    Title
    Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.79
    Affected: >= 9.0.0, < 9.9.1-alpha.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53724",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T19:03:39.906463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T20:01:13.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.79"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:34:38.237Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7wqv-xjf3-x35v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7wqv-xjf3-x35v"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10489",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10489"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10490",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10490"
            }
          ],
          "source": {
            "advisory": "GHSA-7wqv-xjf3-x35v",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53724",
        "datePublished": "2026-06-12T18:34:38.237Z",
        "dateReserved": "2026-06-10T16:43:31.242Z",
        "dateUpdated": "2026-06-12T20:01:13.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50008 (GCVE-0-2026-50008)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:22 – Updated: 2026-06-12 19:00
    VLAI
    Title
    Parse Server: Server option routeAllowList is bypassable through batch sub-requests
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.8.0, < 9.9.1-alpha.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50008",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T19:00:45.285194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T19:00:55.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.8.0, \u003c 9.9.1-alpha.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply \u2014 only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:22:44.188Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10482",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10482"
            }
          ],
          "source": {
            "advisory": "GHSA-p84r-h6rx-f2xr",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Server option routeAllowList is bypassable through batch sub-requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50008",
        "datePublished": "2026-06-12T18:22:44.188Z",
        "dateReserved": "2026-06-02T22:46:02.578Z",
        "dateUpdated": "2026-06-12T19:00:55.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47138 (GCVE-0-2026-47138)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:22 – Updated: 2026-06-12 18:56
    VLAI
    Title
    Parse Server: Pre-authentication denial of service via client version header regex backtracking
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.77
    Affected: >= 9.0.0, < 9.9.1-alpha.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47138",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T18:56:09.032234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T18:56:14.419Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.77"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:22:02.751Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10463",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10463"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10464",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10464"
            }
          ],
          "source": {
            "advisory": "GHSA-38m6-82c8-4xfm",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: Pre-authentication denial of service via client version header regex backtracking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47138",
        "datePublished": "2026-06-12T18:22:02.751Z",
        "dateReserved": "2026-05-18T19:50:18.696Z",
        "dateUpdated": "2026-06-12T18:56:14.419Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47248 (GCVE-0-2026-47248)

    Vulnerability from cvelistv5 – Published: 2026-06-12 18:21 – Updated: 2026-06-12 20:04
    VLAI
    Title
    Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: < 8.6.78
    Affected: >= 9.0.0, < 9.9.1-alpha.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47248",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T20:04:32.992755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T20:04:40.587Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.78"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server\u0027s GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T18:21:31.511Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10467",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10467"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10468",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10468"
            }
          ],
          "source": {
            "advisory": "GHSA-8cph-rgr4-g5vj",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: GraphQL \"Did you mean\" validation suggestions disclose schema to unauthenticated callers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47248",
        "datePublished": "2026-06-12T18:21:31.511Z",
        "dateReserved": "2026-05-18T22:54:18.272Z",
        "dateUpdated": "2026-06-12T20:04:40.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-43930 (GCVE-0-2026-43930)

    Vulnerability from cvelistv5 – Published: 2026-05-12 13:34 – Updated: 2026-05-13 14:27
    VLAI
    Title
    Parse Server: MFA SMS one-time password accepted twice under concurrent login
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.9.0-alpha.2
    Affected: < 8.6.76
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-43930",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T14:27:09.122314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T14:27:47.599Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.9.0-alpha.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.76"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim\u0027s password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T13:34:50.567Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10448",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10448"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10449",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10449"
            }
          ],
          "source": {
            "advisory": "GHSA-jpq4-7fmq-q5fj",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server: MFA SMS one-time password accepted twice under concurrent login"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-43930",
        "datePublished": "2026-05-12T13:34:50.567Z",
        "dateReserved": "2026-05-04T16:59:09.089Z",
        "dateUpdated": "2026-05-13T14:27:47.599Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39381 (GCVE-0-2026-39381)

    Vulnerability from cvelistv5 – Published: 2026-04-07 19:51 – Updated: 2026-04-07 20:23
    VLAI
    Title
    Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.8.0-alpha.7
    Affected: >= 7.0.0, < 8.6.75
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:23:25.561431Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:23:31.190Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.8.0-alpha.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 8.6.75"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session\u0027s protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:51:03.479Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10406",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10406"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10407",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10407"
            }
          ],
          "source": {
            "advisory": "GHSA-g4v2-qx3q-4p64",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server\u0027s Endpoint `/sessions/me` bypasses `_Session` `protectedFields`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39381",
        "datePublished": "2026-04-07T19:51:03.479Z",
        "dateReserved": "2026-04-06T22:06:40.515Z",
        "dateUpdated": "2026-04-07T20:23:31.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39321 (GCVE-0-2026-39321)

    Vulnerability from cvelistv5 – Published: 2026-04-07 18:11 – Updated: 2026-04-07 19:58
    VLAI
    Title
    Parse Server has a login timing side-channel reveals user existence
    Summary
    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    parse-community parse-server Affected: >= 9.0.0, < 9.8.0-alpha.6
    Affected: < 8.6.74
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T18:44:58.116800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T19:58:57.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "parse-server",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.0.0, \u003c 9.8.0-alpha.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 8.6.74"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208: Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T18:11:10.514Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10398",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10398"
            },
            {
              "name": "https://github.com/parse-community/parse-server/pull/10399",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/parse-server/pull/10399"
            }
          ],
          "source": {
            "advisory": "GHSA-mmpq-5hcv-hf2v",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Server has a login timing side-channel reveals user existence"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39321",
        "datePublished": "2026-04-07T18:11:10.514Z",
        "dateReserved": "2026-04-06T19:31:07.266Z",
        "dateUpdated": "2026-04-07T19:58:57.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }