Vulnerability List

CVE ID	Title	Vendor	Product	Severity	CVSS Score	Published At	AI Analysis
CVE-2026-31872	Parse Server has a protected fields bypass via dot-notation in query and sort	parse-community	parse-server	-	-	2026-03-11 18:02:57	Deep Dive
CVE-2026-31871	Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL	parse-community	parse-server	-	-	2026-03-11 18:01:17	Deep Dive
CVE-2026-31868	Parse Server has Stored XSS via file upload of HTML-renderable file types	parse-community	parse-server	-	-	2026-03-11 17:54:34	Deep Dive
CVE-2026-31856	Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL	parse-community	parse-server	-	-	2026-03-11 17:14:17	Deep Dive
CVE-2026-31840	Parse Server has a SQL injection via dot-notation field name in PostgreSQL	parse-community	parse-server	-	-	2026-03-11 16:53:17	Deep Dive
CVE-2026-31828	Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction	parse-community	parse-server	-	-	2026-03-10 21:41:48	Deep Dive
CVE-2026-31800	Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes	parse-community	parse-server	-	-	2026-03-10 20:51:14	Deep Dive
CVE-2026-30972	Parse Server has a rate limit bypass via batch request endpoint	parse-community	parse-server	-	-	2026-03-10 20:48:47	Deep Dive
CVE-2026-30967	Parse Server OAuth2 authentication adapter account takeover via identity spoofing	parse-community	parse-server	-	-	2026-03-10 20:46:40	Deep Dive
CVE-2026-30966	Parse Server role escalation and CLP bypass via direct `_Join` table write	parse-community	parse-server	Critical	10.0	2026-03-10 20:45:16	Deep Dive
CVE-2026-30965	Parse Server session token exfiltration via `redirectClassNameForKey` query parameter	parse-community	parse-server	-	-	2026-03-10 20:43:52	Deep Dive
CVE-2026-30962	Parse Server has a protected fields bypass via logical query operators	parse-community	parse-server	-	-	2026-03-10 20:42:23	Deep Dive
CVE-2026-30949	Parse Server is missing audience validation in Keycloak authentication adapter	parse-community	parse-server	-	-	2026-03-10 20:20:12	Deep Dive
CVE-2026-30948	Parse Server has stored cross-site scripting (XSS) via SVG file upload	parse-community	parse-server	-	-	2026-03-10 20:18:24	Deep Dive
CVE-2026-30947	Parse Server ha a bypass of class-level permissions in LiveQuery	parse-community	parse-server	-	-	2026-03-10 20:16:35	Deep Dive
CVE-2026-30946	Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API	parse-community	parse-server	-	-	2026-03-10 20:14:48	Deep Dive
CVE-2026-30941	Parse Server has a NoSQL injection via token type in password reset and email verification endpoints	parse-community	parse-server	-	-	2026-03-10 16:40:13	Deep Dive
CVE-2026-30939	Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution	parse-community	parse-server	-	-	2026-03-10 16:37:50	Deep Dive
CVE-2026-30938	Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement	parse-community	parse-server	-	-	2026-03-10 16:34:03	Deep Dive
CVE-2026-30925	Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery	parse-community	parse-server	-	-	2026-03-09 23:01:32	Deep Dive

Goal Reached Thanks to every supporter — we hit 100%!

Vulnerability List