| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-30854 | Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled | parse-community | parse-server | 中危 | - | 2026-03-07 16:24:10 | Deep Dive |
| CVE-2026-30850 | Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization | parse-community | parse-server | 中危 | - | 2026-03-07 16:21:54 | Deep Dive |
| CVE-2026-30848 | Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory | parse-community | parse-server | 中危 | - | 2026-03-07 16:20:22 | Deep Dive |
| CVE-2026-30863 | Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters | parse-community | parse-server | 中危 | - | 2026-03-07 16:18:48 | Deep Dive |
| CVE-2026-30835 | Parse Server: Malformed `$regex` query leaks database error details in API response | parse-community | parse-server | 中危 | - | 2026-03-06 20:28:28 | Deep Dive |
| CVE-2026-30229 | Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user | parse-community | parse-server | 中危 | - | 2026-03-06 20:26:54 | Deep Dive |
| CVE-2026-30228 | Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction | parse-community | parse-server | 中危 | - | 2026-03-06 20:25:35 | Deep Dive |
| CVE-2026-29182 | Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction | parse-community | parse-server | 高危 | - | 2026-03-06 20:24:11 | Deep Dive |
| CVE-2026-27804 | Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter | parse-community | parse-server | - | - | 2026-02-25 23:48:21 | Deep Dive |
| CVE-2025-68150 | Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter | parse-community | parse-server | - | - | 2025-12-16 18:15:09 | Deep Dive |
| CVE-2025-68115 | Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables | parse-community | parse-server | - | - | 2025-12-16 00:56:23 | Deep Dive |
| CVE-2025-67727 | Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management | parse-community | parse-server | - | - | 2025-12-12 06:35:53 | Deep Dive |
| CVE-2025-64502 | Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details | parse-community | parse-server | 中危 | - | 2025-11-10 21:40:34 | Deep Dive |
| CVE-2025-64430 | Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format | parse-community | parse-server | High | 7.5 | 2025-11-07 17:55:28 | Deep Dive |
| CVE-2025-53364 | Parse Server exposes the data schema via GraphQL API | parse-community | parse-server | Medium | 5.3 | 2025-07-10 15:18:25 | Deep Dive |
| CVE-2025-30168 | Parse Server has an OAuth login vulnerability | parse-community | parse-server | Medium | 6.9 | 2025-03-21 14:54:22 | Deep Dive |
| CVE-2024-47183 | Parse Server's custom object ID allows to acquire role privileges | parse-community | parse-server | High | 8.1 | 2024-10-04 15:06:45 | Deep Dive |
| CVE-2024-39309 | ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability | parse-community | parse-server | Critical | 9.8 | 2024-07-01 21:15:26 | Deep Dive |
| CVE-2024-29027 | Parse Server crash and RCE via invalid Cloud Function or Cloud Job name | parse-community | parse-server | Critical | 9.0 | 2024-03-19 18:57:25 | Deep Dive |
| CVE-2024-27298 | Parse Server literalizeRegexPart SQL Injection | parse-community | parse-server | Critical | 10.0 | 2024-03-01 17:48:53 | Deep Dive |