| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39381 | Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` | parse-community | parse-server | - | - | 2026-04-07 19:51:03 | Deep Dive |
| CVE-2026-39321 | Parse Server has a login timing side-channel reveals user existence | parse-community | parse-server | - | - | 2026-04-07 18:11:11 | Deep Dive |
| CVE-2026-35200 | Parse Server has a file upload Content-Type override via extension mismatch | parse-community | parse-server | - | - | 2026-04-06 19:47:28 | Deep Dive |
| CVE-2026-34784 | Parse Server: Streaming file download bypasses afterFind file trigger authorization | parse-community | parse-server | 中危 | - | 2026-03-31 19:39:55 | Deep Dive |
| CVE-2026-34215 | Parse Server: Auth data exposed via verify password endpoint | parse-community | parse-server | 中危 | - | 2026-03-31 19:34:50 | Deep Dive |
| CVE-2026-34595 | Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value | parse-community | parse-server | - | - | 2026-03-31 15:10:07 | Deep Dive |
| CVE-2026-34574 | Parse Server: Session field immutability bypass via falsy-value guard | parse-community | parse-server | - | - | 2026-03-31 15:08:31 | Deep Dive |
| CVE-2026-34573 | Parse Server: GraphQL complexity validator exponential fragment traversal DoS | parse-community | parse-server | - | - | 2026-03-31 15:06:33 | Deep Dive |
| CVE-2026-34532 | Parse Server: Cloud function validator bypass via prototype chain traversal | parse-community | parse-server | - | - | 2026-03-31 14:42:10 | Deep Dive |
| CVE-2026-34373 | Parse Server: GraphQL API endpoint ignores CORS origin restriction | parse-community | parse-server | - | - | 2026-03-31 14:38:17 | Deep Dive |
| CVE-2026-34363 | Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers | parse-community | parse-server | - | - | 2026-03-31 14:35:42 | Deep Dive |
| CVE-2026-34224 | Parse Server: MFA single-use token bypass via concurrent authData login requests | parse-community | parse-server | - | - | 2026-03-31 14:25:23 | Deep Dive |
| CVE-2026-33627 | Parse Server: Auth data exposed via /users/me endpoint | parse-community | parse-server | 中危 | - | 2026-03-24 18:31:15 | Deep Dive |
| CVE-2026-33624 | Parse Server: MFA recovery code single-use bypass via concurrent requests | parse-community | parse-server | 中危 | - | 2026-03-24 18:28:52 | Deep Dive |
| CVE-2026-33539 | Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter | parse-community | parse-server | 中危 | - | 2026-03-24 18:26:56 | Deep Dive |
| CVE-2026-33538 | Parse Server: Denial of service via unindexed database query for unconfigured auth providers | parse-community | parse-server | 中危 | - | 2026-03-24 18:24:52 | Deep Dive |
| CVE-2026-33527 | Parse Server: Session update endpoint allows overwriting server-generated session fields | parse-community | parse-server | 中危 | - | 2026-03-24 18:22:45 | Deep Dive |
| CVE-2026-33508 | Parse Server: LiveQuery subscription query depth bypass | parse-community | parse-server | 中危 | - | 2026-03-24 18:21:08 | Deep Dive |
| CVE-2026-33498 | Parse Server: Query condition depth bypass via pre-validation transform pipeline | parse-community | parse-server | 中危 | - | 2026-03-24 18:18:45 | Deep Dive |
| CVE-2026-33429 | Parse Server: Protected field change detection oracle via LiveQuery watch parameter | parse-community | parse-server | 中危 | - | 2026-03-24 18:16:35 | Deep Dive |