| CVE-2026-47138 |
high |
— |
8.0 |
5d ago |
Parse Server: Pre-authentication denial of service via client version header regex backtracking |
|
| CVE-2026-43930 |
medium |
5.9 |
5.9 |
15d ago |
parse-server: MFA SMS one-time password accepted twice under concurrent login |
|
| CVE-2026-39381 |
unknown |
— |
— |
2mo ago |
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` |
|
| CVE-2026-39321 |
unknown |
— |
— |
2mo ago |
Parse Server has a login timing side-channel reveals user existence |
|
| CVE-2026-35200 |
unknown |
— |
— |
2mo ago |
Parse Server: File upload Content-Type override via extension mismatch |
|
| CVE-2026-34784 |
unknown |
— |
— |
2mo ago |
Parser Server's streaming file download bypasses afterFind file trigger authorization |
|
| CVE-2026-34595 |
unknown |
— |
— |
2mo ago |
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value |
|
| CVE-2026-34574 |
unknown |
— |
— |
2mo ago |
Parse Server has a session field immutability bypass via falsy-value guard |
|
| CVE-2026-34573 |
unknown |
— |
— |
2mo ago |
parse-server has GraphQL complexity validator exponential fragment traversal DoS |
|
| CVE-2026-34532 |
unknown |
— |
— |
2mo ago |
parse-server has cloud function validator bypass via prototype chain traversal |
|
| CVE-2026-34373 |
unknown |
— |
— |
2mo ago |
GraphQL API endpoint ignores CORS origin restriction |
|
| CVE-2026-34363 |
unknown |
— |
— |
2mo ago |
LiveQuery protected field leak via shared mutable state across concurrent subscribers |
|
| CVE-2026-34224 |
unknown |
— |
— |
2mo ago |
Parse Server has an MFA single-use token bypass via concurrent authData login requests |
|
| CVE-2026-34215 |
unknown |
— |
— |
2mo ago |
Parse Server exposes auth data via verify password endpoint |
|
| CVE-2026-33627 |
unknown |
— |
— |
2mo ago |
Parse Server exposes auth data via /users/me endpoint |
|
| CVE-2026-33624 |
unknown |
— |
— |
2mo ago |
Parse Server: MFA recovery code single-use bypass via concurrent requests |
|
| CVE-2026-33539 |
unknown |
— |
— |
2mo ago |
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter |
|
| CVE-2026-33538 |
unknown |
— |
— |
2mo ago |
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers |
|
| CVE-2026-33527 |
unknown |
— |
— |
2mo ago |
Parse Server's Session Update endpoint allows overwriting server-generated session fields |
|
| CVE-2026-33508 |
unknown |
— |
— |
2mo ago |
Parse Server LiveQuery subscription query depth bypass |
|
| CVE-2026-33498 |
unknown |
— |
— |
2mo ago |
Parse Server has a query condition depth bypass via pre-validation transform pipeline |
|
| CVE-2026-33429 |
unknown |
— |
— |
2mo ago |
Parse Server has a protected field change detection oracle via LiveQuery watch parameter |
|
| CVE-2026-33421 |
unknown |
— |
— |
2mo ago |
Parse Server's LiveQuery bypasses CLP pointer permission enforcement |
|
| CVE-2026-33409 |
unknown |
— |
— |
2mo ago |
Parse Server has an auth provider validation bypass on login via partial authData |
|
| CVE-2026-33323 |
unknown |
— |
— |
2mo ago |
Parse Server email verification resend page leaks user existence |
|
| CVE-2026-33163 |
unknown |
— |
— |
2mo ago |
Parse Server leaks protected fields via LiveQuery afterEvent trigger |
|
| CVE-2026-33042 |
unknown |
— |
— |
2mo ago |
Parse Server affected by empty authData bypassing credential requirement on signup |
|
| CVE-2026-32770 |
unknown |
— |
— |
2mo ago |
Parse Server LiveQuery subscription with invalid regular expression crashes server |
|
| CVE-2026-32742 |
unknown |
— |
— |
2mo ago |
Parse Server session creation endpoint allows overwriting server-generated session fields |
|
| CVE-2026-32878 |
unknown |
— |
— |
2mo ago |
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy |
|
| CVE-2026-32886 |
unknown |
— |
— |
2mo ago |
Parse Server's Cloud function dispatch crashes server via prototype chain traversal |
|
| CVE-2026-32943 |
unknown |
— |
— |
2mo ago |
Parse Server has a password reset token single-use bypass via concurrent requests |
|
| CVE-2026-32944 |
unknown |
— |
— |
2mo ago |
Parse Server crash via deeply nested query condition operators |
|
| CVE-2026-32728 |
unknown |
— |
— |
2mo ago |
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries |
|
| CVE-2026-32594 |
unknown |
— |
— |
3mo ago |
Parse Server's GraphQL WebSocket endpoint bypasses security middleware |
|
| CVE-2026-32269 |
unknown |
— |
— |
3mo ago |
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint |
|
| CVE-2026-32248 |
unknown |
— |
— |
3mo ago |
Parse Server: Account takeover via operator injection in authentication data identifier |
|
| CVE-2026-32242 |
unknown |
— |
— |
3mo ago |
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance |
|
| CVE-2026-32234 |
unknown |
— |
— |
3mo ago |
Parse Server has a SQL injection via query field name when using PostgreSQL |
|
| CVE-2026-32098 |
unknown |
— |
— |
3mo ago |
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause |
|
| CVE-2026-31901 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to user enumeration via email verification endpoint |
|
| CVE-2026-31875 |
unknown |
— |
— |
3mo ago |
Parse Server's MFA recovery codes not consumed after use |
|
| CVE-2026-31872 |
unknown |
— |
— |
3mo ago |
Parse Server has a protected fields bypass via dot-notation in query and sort |
|
| CVE-2026-31871 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL |
|
| CVE-2026-31868 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types |
|
| CVE-2026-31856 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL |
|
| CVE-2026-31828 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction |
|
| CVE-2026-31800 |
unknown |
— |
— |
3mo ago |
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes |
|
| CVE-2026-30972 |
unknown |
— |
— |
3mo ago |
Parse Server has a rate limit bypass via batch request endpoint |
|
| CVE-2026-30967 |
unknown |
— |
— |
3mo ago |
Parse Server OAuth2 authentication adapter account takeover via identity spoofing |
|
| CVE-2026-30966 |
unknown |
— |
— |
3mo ago |
Parse Server has role escalation and CLP bypass via direct `_Join` table write |
|
| CVE-2026-30965 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter |
|
| CVE-2026-30962 |
unknown |
— |
— |
3mo ago |
Parse Server has a protected fields bypass via logical query operators |
|
| CVE-2026-30949 |
unknown |
— |
— |
3mo ago |
Parse Server missing audience validation in Keycloak authentication adapter |
|
| CVE-2026-30948 |
unknown |
— |
— |
3mo ago |
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload |
|
| CVE-2026-30947 |
unknown |
— |
— |
3mo ago |
Parse Server has a bypass of class-level permissions in LiveQuery |
|
| CVE-2026-30946 |
unknown |
— |
— |
3mo ago |
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API |
|
| CVE-2026-30941 |
unknown |
— |
— |
3mo ago |
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints |
|
| CVE-2026-31840 |
unknown |
— |
— |
3mo ago |
Parse Server: SQL injection via dot-notation field name in PostgreSQL |
|
| CVE-2026-30939 |
unknown |
— |
— |
3mo ago |
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution |
|
| CVE-2026-30938 |
unknown |
— |
— |
3mo ago |
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement |
|
| CVE-2026-30925 |
unknown |
— |
— |
3mo ago |
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery |
|
| CVE-2026-30863 |
unknown |
— |
— |
3mo ago |
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters |
|
| CVE-2026-30854 |
unknown |
— |
— |
3mo ago |
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled |
|
| CVE-2026-30850 |
unknown |
— |
— |
3mo ago |
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization |
|
| CVE-2026-30848 |
unknown |
— |
— |
3mo ago |
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory |
|
| CVE-2026-30835 |
unknown |
— |
— |
3mo ago |
parse-server: Malformed `$regex` query leaks database error details in API response |
|
| CVE-2026-30229 |
unknown |
— |
— |
3mo ago |
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user |
|
| CVE-2026-30228 |
unknown |
— |
— |
3mo ago |
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction |
|
| CVE-2026-29182 |
unknown |
— |
— |
3mo ago |
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction |
|
| CVE-2026-27804 |
unknown |
— |
— |
3mo ago |
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter |
|
| CVE-2025-68150 |
unknown |
— |
— |
5mo ago |
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter |
|
| CVE-2025-68115 |
unknown |
— |
— |
5mo ago |
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables |
|
| CVE-2025-64502 |
unknown |
— |
— |
7mo ago |
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details |
|
| CVE-2025-64430 |
unknown |
— |
— |
7mo ago |
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format |
|
| CVE-2025-53364 |
unknown |
— |
— |
11mo ago |
Parse Server exposes the data schema via GraphQL API |
|
| CVE-2025-30168 |
unknown |
— |
— |
1y ago |
Parse Server has an OAuth login vulnerability |
|
| CVE-2024-47183 |
unknown |
— |
— |
2y ago |
Parse Server's custom object ID allows to acquire role privileges |
|
| CVE-2024-39309 |
unknown |
— |
— |
2y ago |
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability |
|
| CVE-2024-29027 |
unknown |
— |
— |
2y ago |
Server crashes on invalid Cloud Function or Cloud Job name |
|
| CVE-2024-27298 |
unknown |
— |
— |
2y ago |
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection |
|
| CVE-2023-46119 |
unknown |
— |
— |
3y ago |
Parse Server may crash when uploading file without extension |
|
| CVE-2023-41058 |
unknown |
— |
— |
3y ago |
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer |
|
| CVE-2023-36475 |
unknown |
— |
— |
3y ago |
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution |
|
| CVE-2023-32689 |
unknown |
— |
— |
3y ago |
Phishing attack vulnerability by uploading malicious HTML file |
|
| CVE-2023-22474 |
unknown |
— |
— |
3y ago |
Parse Server option `masterKeyIps` vulnerability to IP spoofing |
|
| CVE-2022-41879 |
unknown |
— |
— |
4y ago |
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks |
|
| CVE-2022-41878 |
unknown |
— |
— |
4y ago |
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers |
|
| CVE-2022-39396 |
unknown |
— |
— |
4y ago |
Remote code execution via MongoDB BSON parser through prototype pollution |
|
| CVE-2022-39313 |
unknown |
— |
— |
4y ago |
parse-server crashes when receiving file download request with invalid byte range |
|
| CVE-2022-39231 |
unknown |
— |
— |
4y ago |
parse-server auth adapter app ID validation can be circumvented |
|
| CVE-2022-39225 |
unknown |
— |
— |
4y ago |
parse-server's session object properties can be updated by foreign user if object ID is known |
|
| CVE-2022-36079 |
unknown |
— |
— |
4y ago |
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns |
|
| CVE-2022-31112 |
unknown |
— |
— |
4y ago |
Protected fields exposed via LiveQuery |
|
| CVE-2022-31089 |
unknown |
— |
— |
4y ago |
Invalid file request can crash server |
|
| CVE-2022-31083 |
unknown |
— |
— |
4y ago |
Authentication bypass vulnerability in Apple Game Center auth adapter |
|
| CVE-2022-24901 |
unknown |
— |
— |
4y ago |
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter |
|
| CVE-2022-24760 |
unknown |
— |
— |
4y ago |
Command injection in Parse Server through prototype pollution |
|
| CVE-2021-41109 |
unknown |
— |
— |
5y ago |
LiveQuery publishes user session tokens in parse-server |
|
| CVE-2021-39187 |
unknown |
— |
— |
5y ago |
Parse Server crashes with query parameter |
|