| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-30854 | Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled | parse-community | parse-server | 中危 | - | 2026-03-07 16:24:10 | Deep Dive |
| CVE-2026-30850 | Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization | parse-community | parse-server | 中危 | - | 2026-03-07 16:21:54 | Deep Dive |
| CVE-2026-30848 | Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory | parse-community | parse-server | 中危 | - | 2026-03-07 16:20:22 | Deep Dive |
| CVE-2026-30863 | Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters | parse-community | parse-server | 中危 | - | 2026-03-07 16:18:48 | Deep Dive |
| CVE-2026-30835 | Parse Server: Malformed `$regex` query leaks database error details in API response | parse-community | parse-server | 中危 | - | 2026-03-06 20:28:28 | Deep Dive |
| CVE-2026-30229 | Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user | parse-community | parse-server | 中危 | - | 2026-03-06 20:26:54 | Deep Dive |
| CVE-2026-30228 | Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction | parse-community | parse-server | 中危 | - | 2026-03-06 20:25:35 | Deep Dive |
| CVE-2026-29182 | Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction | parse-community | parse-server | 高危 | - | 2026-03-06 20:24:11 | Deep Dive |
| CVE-2026-27804 | Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter | parse-community | parse-server | - | - | 2026-02-25 23:48:21 | Deep Dive |
| CVE-2026-27595 | Parse Dashboard has incomplete authentication on AI Agent endpoint | parse-community | parse-dashboard | - | - | 2026-02-25 02:21:33 | Deep Dive |
| CVE-2026-27610 | Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions | parse-community | parse-dashboard | - | - | 2026-02-25 02:19:56 | Deep Dive |
| CVE-2026-27609 | Parse Dashboard Missing CSRF Protection on Agent Endpoint | parse-community | parse-dashboard | - | - | 2026-02-25 02:18:29 | Deep Dive |
| CVE-2026-27608 | Parse Dashboard Missing Authorization on Agent Endpoint | parse-community | parse-dashboard | - | - | 2026-02-25 02:16:31 | Deep Dive |
| CVE-2025-68150 | Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter | parse-community | parse-server | - | - | 2025-12-16 18:15:09 | Deep Dive |
| CVE-2025-68115 | Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables | parse-community | parse-server | - | - | 2025-12-16 00:56:23 | Deep Dive |
| CVE-2025-67727 | Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management | parse-community | parse-server | - | - | 2025-12-12 06:35:53 | Deep Dive |
| CVE-2025-64502 | Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details | parse-community | parse-server | 中危 | - | 2025-11-10 21:40:34 | Deep Dive |
| CVE-2025-64430 | Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format | parse-community | parse-server | High | 7.5 | 2025-11-07 17:55:28 | Deep Dive |
| CVE-2025-62374 | Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs | parse-community | Parse-SDK-JS | Medium | 6.4 | 2025-10-14 20:06:44 | Deep Dive |
| CVE-2025-53364 | Parse Server exposes the data schema via GraphQL API | parse-community | parse-server | Medium | 5.3 | 2025-07-10 15:18:25 | Deep Dive |