Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

parse-server — Vulnerabilities & Security Advisories 115

All 115 CVE vulnerabilities found in parse-server, with AI-generated Chinese analysis, references, and POCs.

This page documents common weaknesses and security vulnerabilities associated with the parse-server product, specifically focusing on the Open Web Application Security Project (OWASP) classification of weaknesses. It aggregates vulnerability data to provide a comprehensive view of the security landscape surrounding this open-source backend framework. The content covers known issues reported and analyzed over the past five years, ensuring that historical context and recent developments are included for a complete picture. Users can leverage this resource to track vendor advisories related to parse-server, allowing for better risk assessment and timely patching strategies. Additionally, the page serves as a reference for understanding specific weakness classes that impact this product, helping developers and security professionals identify common attack vectors. Readers can also explore the product’s vulnerability history to understand how security issues have evolved over time, which is crucial for maintaining long-term security hygiene. This aggregation aims to simplify the process of monitoring and mitigating risks by centralizing relevant information in one accessible location. Whether you are a developer responsible for maintaining parse-server instances or a security auditor evaluating its compliance, this page offers valuable insights into the product’s security posture. By providing a structured overview of past and present vulnerabilities, it supports informed decision-making and proactive defense measures against potential threats targeting this widely used backend solution.

Vendor: Parse

CVE IDTitleCVSSSeverityPublished
CVE-2021-47987 Parse Server - Arbitrary Code Execution via Malicious Version Tags CWE-494 7.5 High2026-06-25
CVE-2021-47986 Parse Server - Unreviewed Code Execution via Malicious Version Tags CWE-494 7.5 High2026-06-25
CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL CWE-639--2026-06-12
CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied CWE-200--2026-06-12
CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist CWE-434--2026-06-12
CVE-2026-50008 Parse Server: Server option routeAllowList is bypassable through batch sub-requests CWE-863--2026-06-12
CVE-2026-47138 Parse Server: Pre-authentication denial of service via client version header regex backtracking CWE-1333--2026-06-12
CVE-2026-47248 Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers CWE-209--2026-06-12
CVE-2026-43930 Parse Server: MFA SMS one-time password accepted twice under concurrent login CWE-362--2026-05-12
CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` CWE-863 6.5AIMediumAI2026-04-07
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence CWE-208 4.8AIMediumAI2026-04-07
CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch CWE-436 8.2AIHighAI2026-04-06
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization CWE-285 7.5 -2026-03-31
CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint CWE-200 6.5 -2026-03-31
CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value CWE-843 8.8AIHighAI2026-03-31
CVE-2026-34574 Parse Server: Session field immutability bypass via falsy-value guard CWE-697 7.1AIHighAI2026-03-31
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS CWE-407 7.5AIHighAI2026-03-31
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal CWE-863 9.1AICriticalAI2026-03-31
CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction CWE-346 8.2AIHighAI2026-03-31
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers CWE-362 7.5AIHighAI2026-03-31
CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests CWE-367 8.2AIHighAI2026-03-31
CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint CWE-200 8.1 -2026-03-24
CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests CWE-367 9.1 -2026-03-24
CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter CWE-89 7.2 -2026-03-24
CVE-2026-33538 Parse Server: Denial of service via unindexed database query for unconfigured auth providers CWE-400 7.5 -2026-03-24
CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields CWE-863 4.3 -2026-03-24
CVE-2026-33508 Parse Server: LiveQuery subscription query depth bypass CWE-674 7.5 -2026-03-24
CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline CWE-674 7.5 -2026-03-24
CVE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter CWE-203 3.7 -2026-03-24
CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement CWE-863 6.5 -2026-03-24

All 115 known CVE vulnerabilities affecting parse-server with full Chinese analysis, references, and POCs where available.