VYPR

Bitnami package

parse

pkg:bitnami/parse

Vulnerabilities (110)

  • CVE-2026-33624Mar 24, 2026
    affected < 8.6.60fixed 8.6.60

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times

  • CVE-2026-33539Mar 24, 2026
    affected < 8.6.59fixed 8.6.59

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters

  • CVE-2026-33538Mar 24, 2026
    affected < 8.6.58fixed 8.6.58

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider na

  • CVE-2026-33527Mar 24, 2026
    affected < 8.6.57fixed 8.6.57

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own sessi

  • CVE-2026-33508Mar 24, 2026
    affected < 8.6.56fixed 8.6.56

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocke

  • CVE-2026-33498Mar 24, 2026
    affected < 8.6.55fixed 8.6.55

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang th

  • CVE-2026-33429Mar 24, 2026
    affected < 8.6.54fixed 8.6.54

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is pr

  • CVE-2026-33421Mar 24, 2026
    affected < 8.6.53fixed 8.6.53

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and

  • CVE-2026-33409Mar 24, 2026
    affected < 8.6.52fixed 8.6.52

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provide

  • CVE-2026-33323Mar 24, 2026
    affected < 8.6.51fixed 8.6.51

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whe

  • CVE-2026-33163Mar 18, 2026
    affected < 8.6.50fixed 8.6.50

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to al

  • CVE-2026-33042Mar 18, 2026
    affected < 8.6.49fixed 8.6.49

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. Thi

  • CVE-2026-32944Mar 18, 2026
    affected < 8.6.45fixed 8.6.45

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. Thi

  • CVE-2026-32943Mar 18, 2026
    affected < 8.6.48fixed 8.6.48

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated t

  • CVE-2026-32886Mar 18, 2026
    affected < 8.6.47fixed 8.6.47

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaS

  • CVE-2026-32878Mar 18, 2026
    affected < 8.6.44fixed 8.6.44

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted

  • CVE-2026-32770Mar 18, 2026
    affected < 8.6.43fixed 8.6.43

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process te

  • CVE-2026-32742Mar 18, 2026
    affected < 8.6.42fixed 8.6.42

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session obj

  • CVE-2026-32728Mar 18, 2026
    affected < 8.6.41fixed 8.6.41

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the

  • CVE-2026-32594Mar 13, 2026
    affected < 8.6.40fixed 8.6.40

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, i

Page 2 of 6