VYPR

Parse Server

by Parseplatform

Source repositories

CVEs (14)

  • CVE-2026-34532CriMar 31, 2026
    risk 0.52cvss 9.1epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the…

  • CVE-2026-34373HigMar 31, 2026
    risk 0.50cvss 8.8epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any…

  • CVE-2026-34784HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support…

  • CVE-2026-34573HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary…

  • CVE-2026-34215MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access…

  • CVE-2026-43930MedMay 12, 2026
    risk 0.31cvss 5.9epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both…

  • CVE-2026-35200MedApr 6, 2026
    risk 0.28cvss 5.4epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that…

  • CVE-2026-34574MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a…

  • CVE-2026-34363MedMar 31, 2026
    risk 0.27cvss 5.3epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using…

  • CVE-2026-34224MedMar 31, 2026
    risk 0.22cvss 4.4epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create…

  • CVE-2026-39381MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields…

  • CVE-2026-34595MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery…

  • CVE-2026-39321LowApr 7, 2026
    risk 0.17cvss 3.7epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user…

  • CVE-2025-67727Dec 12, 2025
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets…