Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

parse-community — Vulnerabilities & Security Advisories 117

Browse all 117 CVE security advisories affecting parse-community. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Parse Community provides an open-source backend infrastructure designed to simplify mobile and web application development by offering ready-to-use APIs for data storage, user authentication, and push notifications. This framework allows developers to deploy their own servers, reducing reliance on proprietary third-party services. However, its widespread adoption has made it a frequent target for security researchers, resulting in over 110 recorded Common Vulnerabilities and Exposures (CVEs). Historically, these flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation or insecure default configurations in older versions. While the project maintains an active security response process, the sheer volume of past incidents highlights the complexity of maintaining secure, self-hosted environments. Users are strongly advised to keep installations updated and adhere to strict configuration guidelines to mitigate risks associated with these known vulnerabilities.

Top products by parse-community: parse-server parse-dashboard parse-server-push-adapter Parse-SDK-JS
CVE IDTitleCVSSSeverityPublished
CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload — parse-serverCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery — parse-serverCWE-863 7.5AIHighAI2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-serverCWE-770 7.5AIHighAI2026-03-10
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints — parse-serverCWE-943 9.8AICriticalAI2026-03-10
CVE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution — parse-serverCWE-1321 7.5AIHighAI2026-03-10
CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement — parse-serverCWE-693 9.1AICriticalAI2026-03-10
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery — parse-serverCWE-1333 7.5AIHighAI2026-03-09
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled — parse-serverCWE-863 5.3 -2026-03-07
CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization — parse-serverCWE-862 5.3 -2026-03-07
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory — parse-serverCWE-22 7.5 -2026-03-07
CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters — parse-serverCWE-287 9.8 -2026-03-07
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response — parse-serverCWE-209 7.5 -2026-03-06
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user — parse-serverCWE-863 9.8 -2026-03-06
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction — parse-serverCWE-863 9.1 -2026-03-06
CVE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction — parse-serverCWE-863 8.1 -2026-03-06
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter — parse-serverCWE-327 9.8AICriticalAI2026-02-25
CVE-2026-27595 Parse Dashboard has incomplete authentication on AI Agent endpoint — parse-dashboardCWE-306 9.1AICriticalAI2026-02-25
CVE-2026-27610 Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions — parse-dashboardCWE-1289 5.3AIMediumAI2026-02-25
CVE-2026-27609 Parse Dashboard Missing CSRF Protection on Agent Endpoint — parse-dashboardCWE-352 8.8AIHighAI2026-02-25
CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint — parse-dashboardCWE-862 8.8AIHighAI2026-02-25
CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter — parse-serverCWE-918 9.1AICriticalAI2025-12-16
CVE-2025-68115 Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables — parse-serverCWE-79 6.1AIMediumAI2025-12-16
CVE-2025-67727 Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management — parse-serverCWE-94 9.8AICriticalAI2025-12-12
CVE-2025-64502 Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details — parse-serverCWE-201 5.3 -2025-11-10
CVE-2025-64430 Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format — parse-serverCWE-918 7.5 High2025-11-07
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs — Parse-SDK-JSCWE-1321 6.4 Medium2025-10-14
CVE-2025-53364 Parse Server exposes the data schema via GraphQL API — parse-serverCWE-497 5.3 Medium2025-07-10
CVE-2025-30168 Parse Server has an OAuth login vulnerability — parse-serverCWE-287 6.9 Medium2025-03-21
CVE-2024-47183 Parse Server's custom object ID allows to acquire role privileges — parse-serverCWE-285 8.1 High2024-10-04
CVE-2024-39309 ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability — parse-serverCWE-288 9.8 Critical2024-07-01

This page lists every published CVE security advisory associated with parse-community. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.