parse-server — Vulnerabilities & Security Advisories 106

All 106 CVE vulnerabilities found in parse-server, with AI-generated Chinese analysis, references, and POCs.

Vendor: Parse

CVE ID	Title	CVSS	Severity	Published
CVE-2026-39381	Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` CWE-863	6.5^AI	Medium^AI	2026-04-07
CVE-2026-39321	Parse Server has a login timing side-channel reveals user existence CWE-208	4.8^AI	Medium^AI	2026-04-07
CVE-2026-35200	Parse Server has a file upload Content-Type override via extension mismatch CWE-436	8.2^AI	High^AI	2026-04-06
CVE-2026-34784	Parse Server: Streaming file download bypasses afterFind file trigger authorization CWE-285	7.5	-	2026-03-31
CVE-2026-34215	Parse Server: Auth data exposed via verify password endpoint CWE-200	6.5	-	2026-03-31
CVE-2026-34595	Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value CWE-843	8.8^AI	High^AI	2026-03-31
CVE-2026-34574	Parse Server: Session field immutability bypass via falsy-value guard CWE-697	7.1^AI	High^AI	2026-03-31
CVE-2026-34573	Parse Server: GraphQL complexity validator exponential fragment traversal DoS CWE-407	7.5^AI	High^AI	2026-03-31
CVE-2026-34532	Parse Server: Cloud function validator bypass via prototype chain traversal CWE-863	9.1^AI	Critical^AI	2026-03-31
CVE-2026-34373	Parse Server: GraphQL API endpoint ignores CORS origin restriction CWE-346	8.2^AI	High^AI	2026-03-31
CVE-2026-34363	Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers CWE-362	7.5^AI	High^AI	2026-03-31
CVE-2026-34224	Parse Server: MFA single-use token bypass via concurrent authData login requests CWE-367	8.2^AI	High^AI	2026-03-31
CVE-2026-33627	Parse Server: Auth data exposed via /users/me endpoint CWE-200	8.1	-	2026-03-24
CVE-2026-33624	Parse Server: MFA recovery code single-use bypass via concurrent requests CWE-367	9.1	-	2026-03-24
CVE-2026-33539	Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter CWE-89	7.2	-	2026-03-24
CVE-2026-33538	Parse Server: Denial of service via unindexed database query for unconfigured auth providers CWE-400	7.5	-	2026-03-24
CVE-2026-33527	Parse Server: Session update endpoint allows overwriting server-generated session fields CWE-863	4.3	-	2026-03-24
CVE-2026-33508	Parse Server: LiveQuery subscription query depth bypass CWE-674	7.5	-	2026-03-24
CVE-2026-33498	Parse Server: Query condition depth bypass via pre-validation transform pipeline CWE-674	7.5	-	2026-03-24
CVE-2026-33429	Parse Server: Protected field change detection oracle via LiveQuery watch parameter CWE-203	3.7	-	2026-03-24
CVE-2026-33421	Parse Server: LiveQuery bypasses CLP pointer permission enforcement CWE-863	6.5	-	2026-03-24
CVE-2026-33409	Parse Server: Auth provider validation bypass on login via partial authData CWE-287	8.1	-	2026-03-24
CVE-2026-33323	Parse Server: Email verification resend page leaks user existence CWE-204	5.3	-	2026-03-24
CVE-2026-33163	Parse Server leaks protected fields via LiveQuery afterEvent trigger CWE-200	6.5	-	2026-03-18
CVE-2026-33042	Parse Server affected by empty authData bypassing credential requirement on signup CWE-287	7.5	-	2026-03-18
CVE-2026-32944	Parse Server crash via deeply nested query condition operators CWE-674	7.5	-	2026-03-18
CVE-2026-32943	Parse Server has a password reset token single-use bypass via concurrent requests CWE-367	7.4	-	2026-03-18
CVE-2026-32886	Parse Server's Cloud function dispatch crashes server via prototype chain traversal CWE-1321	7.5	-	2026-03-18
CVE-2026-32878	Parse Server vulnerable to schema poisoning via prototype pollution in deep copy CWE-1321	8.2	-	2026-03-18
CVE-2026-32770	Parse Server: LiveQuery subscription with invalid regular expression crashes server CWE-248	5.9	Medium	2026-03-18

All 106 known CVE vulnerabilities affecting parse-server with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

parse-server — Vulnerabilities & Security Advisories 106