parse-community — Vulnerabilities & Security Advisories 110

Browse all 110 CVE security advisories affecting parse-community. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top 10 Products parse-community:parse-server parse-dashboard parse-server-push-adapter Parse-SDK-JS

CVE ID	Title	CVSS	Severity	Paused
CVE-2026-32742	Parse Server session creation endpoint allows overwriting server-generated session fields — parse-serverCWE-915	4.3	Medium	2026-03-18
CVE-2026-32728	Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries — parse-serverCWE-79	9.8	-	2026-03-18
CVE-2026-32594	Parse Server GraphQL WebSocket endpoint bypasses security middleware — parse-serverCWE-306	9.1^AI	Critical^AI	2026-03-13
CVE-2026-32269	Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint — parse-serverCWE-683	9.4^AI	Critical^AI	2026-03-12
CVE-2026-32248	Parse Server: Account takeover via operator injection in authentication data identifier — parse-serverCWE-943	7.4^AI	High^AI	2026-03-12
CVE-2026-32242	Parse Server OAuth2 adapter shares mutable state across providers via singleton instance — parse-serverCWE-362	8.2^AI	High^AI	2026-03-12
CVE-2026-32234	Parse Server has a SQL injection via query field name when using PostgreSQL — parse-serverCWE-89	8.8^AI	High^AI	2026-03-11
CVE-2026-32098	Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause — parse-serverCWE-200	7.5^AI	High^AI	2026-03-11
CVE-2026-31901	Parse Server has user enumeration via email verification endpoint — parse-serverCWE-204	5.3^AI	Medium^AI	2026-03-11
CVE-2026-31875	Parse Server MFA recovery codes not consumed after use — parse-serverCWE-672	8.1^AI	High^AI	2026-03-11
CVE-2026-31872	Parse Server has a protected fields bypass via dot-notation in query and sort — parse-serverCWE-284	5.3^AI	Medium^AI	2026-03-11
CVE-2026-31871	Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL — parse-serverCWE-89	9.8^AI	Critical^AI	2026-03-11
CVE-2026-31868	Parse Server has Stored XSS via file upload of HTML-renderable file types — parse-serverCWE-79	7.6^AI	High^AI	2026-03-11
CVE-2026-31856	Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL — parse-serverCWE-89	9.1^AI	Critical^AI	2026-03-11
CVE-2026-31840	Parse Server has a SQL injection via dot-notation field name in PostgreSQL — parse-serverCWE-89	9.8^AI	Critical^AI	2026-03-11
CVE-2026-31828	Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction — parse-serverCWE-90	8.8^AI	High^AI	2026-03-10
CVE-2026-31800	Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes — parse-serverCWE-862	9.8^AI	Critical^AI	2026-03-10
CVE-2026-30972	Parse Server has a rate limit bypass via batch request endpoint — parse-serverCWE-799	5.3^AI	Medium^AI	2026-03-10
CVE-2026-30967	Parse Server OAuth2 authentication adapter account takeover via identity spoofing — parse-serverCWE-287	9.8^AI	Critical^AI	2026-03-10
CVE-2026-30966	Parse Server role escalation and CLP bypass via direct `_Join` table write — parse-serverCWE-284	10.0	Critical	2026-03-10
CVE-2026-30965	Parse Server session token exfiltration via `redirectClassNameForKey` query parameter — parse-serverCWE-863	8.1^AI	High^AI	2026-03-10
CVE-2026-30962	Parse Server has a protected fields bypass via logical query operators — parse-serverCWE-284	6.5^AI	Medium^AI	2026-03-10
CVE-2026-30949	Parse Server is missing audience validation in Keycloak authentication adapter — parse-serverCWE-287	9.1^AI	Critical^AI	2026-03-10
CVE-2026-30948	Parse Server has stored cross-site scripting (XSS) via SVG file upload — parse-serverCWE-79	5.4^AI	Medium^AI	2026-03-10
CVE-2026-30947	Parse Server ha a bypass of class-level permissions in LiveQuery — parse-serverCWE-863	7.5^AI	High^AI	2026-03-10
CVE-2026-30946	Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-serverCWE-770	7.5^AI	High^AI	2026-03-10
CVE-2026-30941	Parse Server has a NoSQL injection via token type in password reset and email verification endpoints — parse-serverCWE-943	9.8^AI	Critical^AI	2026-03-10
CVE-2026-30939	Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution — parse-serverCWE-1321	7.5^AI	High^AI	2026-03-10
CVE-2026-30938	Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement — parse-serverCWE-693	9.1^AI	Critical^AI	2026-03-10
CVE-2026-30925	Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery — parse-serverCWE-1333	7.5^AI	High^AI	2026-03-09

This page lists every published CVE security advisory associated with parse-community. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Support Us — Your donation helps us keep running

parse-community — Vulnerabilities & Security Advisories 110