Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

parse-server — Vulnerabilities & Security Advisories 106

All 106 CVE vulnerabilities found in parse-server, with AI-generated Chinese analysis, references, and POCs.

Vendor: Parse

CVE IDTitleCVSSSeverityPublished
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled CWE-863 5.3 -2026-03-07
CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization CWE-862 5.3 -2026-03-07
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory CWE-22 7.5 -2026-03-07
CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters CWE-287 9.8 -2026-03-07
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response CWE-209 7.5 -2026-03-06
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user CWE-863 9.8 -2026-03-06
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction CWE-863 9.1 -2026-03-06
CVE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction CWE-863 8.1 -2026-03-06
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter CWE-327 9.8AICriticalAI2026-02-25
CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter CWE-918 9.1AICriticalAI2025-12-16
CVE-2025-68115 Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables CWE-79 6.1AIMediumAI2025-12-16
CVE-2025-67727 Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management CWE-94 9.8AICriticalAI2025-12-12
CVE-2025-64502 Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details CWE-201 5.3 -2025-11-10
CVE-2025-64430 Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format CWE-918 7.5 High2025-11-07
CVE-2025-53364 Parse Server exposes the data schema via GraphQL API CWE-497 5.3 Medium2025-07-10
CVE-2025-30168 Parse Server has an OAuth login vulnerability CWE-287 6.9 Medium2025-03-21
CVE-2024-47183 Parse Server's custom object ID allows to acquire role privileges CWE-285 8.1 High2024-10-04
CVE-2024-39309 ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability CWE-288 9.8 Critical2024-07-01
CVE-2024-29027 Parse Server crash and RCE via invalid Cloud Function or Cloud Job name CWE-74 9.1 Critical2024-03-19
CVE-2024-27298 Parse Server literalizeRegexPart SQL Injection CWE-89 10.0 Critical2024-03-01
CVE-2023-46119 Parse Server may crash when uploading file without extension CWE-23 7.5 High2023-10-25
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server CWE-670 7.5 High2023-09-04
CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution CWE-1321 9.8 Critical2023-06-28
CVE-2023-32689 Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file CWE-434 6.3 Medium2023-05-30
CVE-2023-22474 Parse Server is vulnerable to authentication bypass via spoofing CWE-290 8.7 High2023-02-03
CVE-2022-39396 Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser CWE-1321 9.8 Critical2022-11-10
CVE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers CWE-74 7.2 High2022-11-10
CVE-2022-41879 Parse Server subject to Prototype pollution via Cloud Code Webhooks CWE-1321 7.2 High2022-11-10
CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range CWE-1284 7.5 High2022-10-24
CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented CWE-287 3.7 Low2022-09-23

All 106 known CVE vulnerabilities affecting parse-server with full Chinese analysis, references, and POCs where available.