parse-server vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
GHSA-97PR-9HGG-3P8RLowparse-server: parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access changeCVE-2026-55778Lowparse-server: parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklistCVE-2026-53726Mediumparse-server: parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACLCVE-2026-53725Mediumparse-server: parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields…CVE-2026-53724Lowparse-server: parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklistCVE-2026-50008Mediumparse-server: parse-server: Server option routeAllowList is bypassable through batch sub-requestsGHSA-CGXM-VR2F-6FJ8Highparse-server: parse-server: Denial of service via exponential-time processing of deeply nested query operatorsCVE-2026-47248Mediumparse-server: Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to…CVE-2026-47138Highparse-server: Parse Server: Pre-authentication denial of service via client version header regex backtrackingCVE-2026-43930Lowparse-server: parse-server: MFA SMS one-time password accepted twice under concurrent loginCVE-2026-39381Mediumparse-server: Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`CVE-2026-39321Mediumparse-server: Parse Server has a login timing side-channel reveals user existenceCVE-2026-35200Lowparse-server: Parse Server: File upload Content-Type override via extension mismatchCVE-2026-34784Highparse-server: Parser Server's streaming file download bypasses afterFind file trigger authorizationCVE-2026-34595Mediumparse-server: Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator valueCVE-2026-34574Mediumparse-server: Parse Server has a session field immutability bypass via falsy-value guardCVE-2026-34573Highparse-server: parse-server has GraphQL complexity validator exponential fragment traversal DoSCVE-2026-34532Criticalparse-server: parse-server has cloud function validator bypass via prototype chain traversalCVE-2026-34373Mediumparse-server: GraphQL API endpoint ignores CORS origin restrictionCVE-2026-34363Highparse-server: LiveQuery protected field leak via shared mutable state across concurrent subscribersCVE-2026-34224Lowparse-server: Parse Server has an MFA single-use token bypass via concurrent authData login requestsCVE-2026-34215Highparse-server: Parse Server exposes auth data via verify password endpointCVE-2026-33627Highparse-server: Parse Server exposes auth data via /users/me endpointCVE-2026-33624Lowparse-server: Parse Server: MFA recovery code single-use bypass via concurrent requestsCVE-2026-33539Highparse-server: Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Stop the waste.
Protect your environment with Kodem.