Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

parse-server — Vulnerabilities & Security Advisories 106

All 106 CVE vulnerabilities found in parse-server, with AI-generated Chinese analysis, references, and POCs.

Vendor: Parse

CVE IDTitleCVSSSeverityPublished
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields CWE-915 4.3 Medium2026-03-18
CVE-2026-32728 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries CWE-79 9.8 -2026-03-18
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware CWE-306 9.1AICriticalAI2026-03-13
CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint CWE-683 9.4AICriticalAI2026-03-12
CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier CWE-943 7.4AIHighAI2026-03-12
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance CWE-362 8.2AIHighAI2026-03-12
CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL CWE-89 8.8AIHighAI2026-03-11
CVE-2026-32098 Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause CWE-200 7.5AIHighAI2026-03-11
CVE-2026-31901 Parse Server has user enumeration via email verification endpoint CWE-204 5.3AIMediumAI2026-03-11
CVE-2026-31875 Parse Server MFA recovery codes not consumed after use CWE-672 8.1AIHighAI2026-03-11
CVE-2026-31872 Parse Server has a protected fields bypass via dot-notation in query and sort CWE-284 5.3AIMediumAI2026-03-11
CVE-2026-31871 Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL CWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types CWE-79 7.6AIHighAI2026-03-11
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL CWE-89 9.1AICriticalAI2026-03-11
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL CWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction CWE-90 8.8AIHighAI2026-03-10
CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes CWE-862 9.8AICriticalAI2026-03-10
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint CWE-799 5.3AIMediumAI2026-03-10
CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing CWE-287 9.8AICriticalAI2026-03-10
CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write CWE-284 10.0 Critical2026-03-10
CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter CWE-863 8.1AIHighAI2026-03-10
CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators CWE-284 6.5AIMediumAI2026-03-10
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter CWE-287 9.1AICriticalAI2026-03-10
CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload CWE-79 5.4AIMediumAI2026-03-10
CVE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery CWE-863 7.5AIHighAI2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API CWE-770 7.5AIHighAI2026-03-10
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints CWE-943 9.8AICriticalAI2026-03-10
CVE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution CWE-1321 7.5AIHighAI2026-03-10
CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement CWE-693 9.1AICriticalAI2026-03-10
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery CWE-1333 7.5AIHighAI2026-03-09

All 106 known CVE vulnerabilities affecting parse-server with full Chinese analysis, references, and POCs where available.