Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

parse-community — Vulnerabilities & Security Advisories 117

Browse all 117 CVE security advisories affecting parse-community. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Parse Community provides an open-source backend infrastructure designed to simplify mobile and web application development by offering ready-to-use APIs for data storage, user authentication, and push notifications. This framework allows developers to deploy their own servers, reducing reliance on proprietary third-party services. However, its widespread adoption has made it a frequent target for security researchers, resulting in over 110 recorded Common Vulnerabilities and Exposures (CVEs). Historically, these flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation or insecure default configurations in older versions. While the project maintains an active security response process, the sheer volume of past incidents highlights the complexity of maintaining secure, self-hosted environments. Users are strongly advised to keep installations updated and adhere to strict configuration guidelines to mitigate risks associated with these known vulnerabilities.

Found 111 results / 117Clear Filters
Top products by parse-community: parse-server parse-dashboard parse-server-push-adapter Parse-SDK-JS
CVE IDTitleCVSSSeverityPublished
CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL — parse-serverCWE-639--2026-06-12
CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied — parse-serverCWE-200--2026-06-12
CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist — parse-serverCWE-434--2026-06-12
CVE-2026-50008 Parse Server: Server option routeAllowList is bypassable through batch sub-requests — parse-serverCWE-863--2026-06-12
CVE-2026-47138 Parse Server: Pre-authentication denial of service via client version header regex backtracking — parse-serverCWE-1333--2026-06-12
CVE-2026-47248 Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers — parse-serverCWE-209--2026-06-12
CVE-2026-43930 Parse Server: MFA SMS one-time password accepted twice under concurrent login — parse-serverCWE-362--2026-05-12
CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` — parse-serverCWE-863 6.5AIMediumAI2026-04-07
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence — parse-serverCWE-208 4.8AIMediumAI2026-04-07
CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch — parse-serverCWE-436 8.2AIHighAI2026-04-06
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization — parse-serverCWE-285 7.5 -2026-03-31
CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint — parse-serverCWE-200 6.5 -2026-03-31
CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value — parse-serverCWE-843 8.8AIHighAI2026-03-31
CVE-2026-34574 Parse Server: Session field immutability bypass via falsy-value guard — parse-serverCWE-697 7.1AIHighAI2026-03-31
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS — parse-serverCWE-407 7.5AIHighAI2026-03-31
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal — parse-serverCWE-863 9.1AICriticalAI2026-03-31
CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction — parse-serverCWE-346 8.2AIHighAI2026-03-31
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers — parse-serverCWE-362 7.5AIHighAI2026-03-31
CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests — parse-serverCWE-367 8.2AIHighAI2026-03-31
CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint — parse-serverCWE-200 8.1 -2026-03-24
CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests — parse-serverCWE-367 9.1 -2026-03-24
CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter — parse-serverCWE-89 7.2 -2026-03-24
CVE-2026-33538 Parse Server: Denial of service via unindexed database query for unconfigured auth providers — parse-serverCWE-400 7.5 -2026-03-24
CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields — parse-serverCWE-863 4.3 -2026-03-24
CVE-2026-33508 Parse Server: LiveQuery subscription query depth bypass — parse-serverCWE-674 7.5 -2026-03-24
CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline — parse-serverCWE-674 7.5 -2026-03-24
CVE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter — parse-serverCWE-203 3.7 -2026-03-24
CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement — parse-serverCWE-863 6.5 -2026-03-24
CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData — parse-serverCWE-287 8.1 -2026-03-24
CVE-2026-33323 Parse Server: Email verification resend page leaks user existence — parse-serverCWE-204 5.3 -2026-03-24

This page lists every published CVE security advisory associated with parse-community. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.