Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

parse-server — Vulnerabilities & Security Advisories 115

All 115 CVE vulnerabilities found in parse-server, with AI-generated Chinese analysis, references, and POCs.

This page documents common weaknesses and security vulnerabilities associated with the parse-server product, specifically focusing on the Open Web Application Security Project (OWASP) classification of weaknesses. It aggregates vulnerability data to provide a comprehensive view of the security landscape surrounding this open-source backend framework. The content covers known issues reported and analyzed over the past five years, ensuring that historical context and recent developments are included for a complete picture. Users can leverage this resource to track vendor advisories related to parse-server, allowing for better risk assessment and timely patching strategies. Additionally, the page serves as a reference for understanding specific weakness classes that impact this product, helping developers and security professionals identify common attack vectors. Readers can also explore the product’s vulnerability history to understand how security issues have evolved over time, which is crucial for maintaining long-term security hygiene. This aggregation aims to simplify the process of monitoring and mitigating risks by centralizing relevant information in one accessible location. Whether you are a developer responsible for maintaining parse-server instances or a security auditor evaluating its compliance, this page offers valuable insights into the product’s security posture. By providing a structured overview of past and present vulnerabilities, it supports informed decision-making and proactive defense measures against potential threats targeting this widely used backend solution.

Vendor: Parse

CVE IDTitleCVSSSeverityPublished
CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData CWE-287 8.1 -2026-03-24
CVE-2026-33323 Parse Server: Email verification resend page leaks user existence CWE-204 5.3 -2026-03-24
CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger CWE-200 6.5 -2026-03-18
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup CWE-287 7.5 -2026-03-18
CVE-2026-32944 Parse Server crash via deeply nested query condition operators CWE-674 7.5 -2026-03-18
CVE-2026-32943 Parse Server has a password reset token single-use bypass via concurrent requests CWE-367 7.4 -2026-03-18
CVE-2026-32886 Parse Server's Cloud function dispatch crashes server via prototype chain traversal CWE-1321 7.5 -2026-03-18
CVE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy CWE-1321 8.2 -2026-03-18
CVE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server CWE-248 5.9 Medium2026-03-18
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields CWE-915 4.3 Medium2026-03-18
CVE-2026-32728 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries CWE-79 9.8 -2026-03-18
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware CWE-306 9.1AICriticalAI2026-03-13
CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint CWE-683 9.4AICriticalAI2026-03-12
CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier CWE-943 7.4AIHighAI2026-03-12
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance CWE-362 8.2AIHighAI2026-03-12
CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL CWE-89 8.8AIHighAI2026-03-11
CVE-2026-32098 Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause CWE-200 7.5AIHighAI2026-03-11
CVE-2026-31901 Parse Server has user enumeration via email verification endpoint CWE-204 5.3AIMediumAI2026-03-11
CVE-2026-31875 Parse Server MFA recovery codes not consumed after use CWE-672 8.1AIHighAI2026-03-11
CVE-2026-31872 Parse Server has a protected fields bypass via dot-notation in query and sort CWE-284 5.3AIMediumAI2026-03-11
CVE-2026-31871 Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL CWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types CWE-79 7.6AIHighAI2026-03-11
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL CWE-89 9.1AICriticalAI2026-03-11
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL CWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction CWE-90 8.8AIHighAI2026-03-10
CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes CWE-862 9.8AICriticalAI2026-03-10
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint CWE-799 5.3AIMediumAI2026-03-10
CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing CWE-287 9.8AICriticalAI2026-03-10
CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write CWE-284 10.0 Critical2026-03-10
CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter CWE-863 8.1AIHighAI2026-03-10

All 115 known CVE vulnerabilities affecting parse-server with full Chinese analysis, references, and POCs where available.