VYPR

Bitnami package

parse

pkg:bitnami/parse

Vulnerabilities (110)

  • CVE-2026-30948Mar 10, 2026
    affected < 8.6.17fixed 8.6.17

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is serv

  • CVE-2026-30947Mar 10, 2026
    affected < 8.6.16fixed 8.6.16

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any Li

  • CVE-2026-30946Mar 10, 2026
    affected < 8.6.15fixed 8.6.15

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack

  • CVE-2026-30941Mar 10, 2026
    affected < 8.6.14fixed 8.6.14

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset

  • CVE-2026-30939Mar 10, 2026
    affected < 8.6.13fixed 8.6.13

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the fun

  • CVE-2026-30938Mar 10, 2026
    affected < 8.6.12fixed 8.6.12

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request

  • CVE-2026-30925Mar 9, 2026
    affected < 8.6.11fixed 8.6.11

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js ev

  • CVE-2026-30854Mar 7, 2026
    affected >= 9.3.1, < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __t

  • CVE-2026-30850Mar 7, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these t

  • CVE-2026-30848Mar 7, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outsi

  • CVE-2026-30863Mar 7, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audien

  • CVE-2026-30835Mar 6, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized thro

  • CVE-2026-30229Mar 6, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impe

  • CVE-2026-30228Mar 6, 2026
    affected < 9.5.0fixed 9.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This

  • CVE-2026-29182Mar 6, 2026
    affected < 9.4.1fixed 9.4.1

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operation

  • CVE-2026-27804Feb 25, 2026
    affected < 8.6.3fixed 8.6.3

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google accou

  • CVE-2025-68150Dec 16, 2025
    affected < 8.6.2fixed 8.6.2

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enable

  • CVE-2025-68115Dec 16, 2025
    affected < 8.6.1fixed 8.6.1

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. Th

  • CVE-2025-67727Dec 12, 2025
    affected < 8.6.0fixed 8.6.0

    Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and

  • CVE-2025-64502MedNov 10, 2025
    affected < 8.5.0fixed 8.5.0

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to

Page 4 of 6