100 Total advisories
100 Vulnerabilities
0 Malware
Vulnerabilities
UNKNOWN
CVE-2026-47248
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
UNKNOWN
CVE-2026-47138
Parse Server: Pre-authentication denial of service via client version header regex backtracking
UNKNOWN
CVE-2026-43930
parse-server: MFA SMS one-time password accepted twice under concurrent login
MEDIUM 4.3
CVE-2026-39381
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
LOW 3.7
CVE-2026-39321
Parse Server has a login timing side-channel reveals user existence
UNKNOWN
CVE-2026-35200
Parse Server: File upload Content-Type override via extension mismatch
UNKNOWN
CVE-2026-34363
LiveQuery protected field leak via shared mutable state across concurrent subscribers
UNKNOWN
CVE-2026-34784
Parser Server's streaming file download bypasses afterFind file trigger authorization
UNKNOWN
CVE-2026-34574
Parse Server has a session field immutability bypass via falsy-value guard
UNKNOWN
CVE-2026-34532
parse-server has cloud function validator bypass via prototype chain traversal
UNKNOWN
CVE-2026-34373
GraphQL API endpoint ignores CORS origin restriction
UNKNOWN
CVE-2026-34215
Parse Server exposes auth data via verify password endpoint
UNKNOWN
CVE-2026-34595
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
UNKNOWN
CVE-2026-34573
parse-server has GraphQL complexity validator exponential fragment traversal DoS
UNKNOWN
CVE-2026-34224
Parse Server has an MFA single-use token bypass via concurrent authData login requests
MEDIUM 5.3
CVE-2026-33429
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
CRITICAL 9.1
CVE-2026-33409
Parse Server has an auth provider validation bypass on login via partial authData
MEDIUM 4.3
CVE-2026-33527
Parse Server's Session Update endpoint allows overwriting server-generated session fields
MEDIUM 5.3
CVE-2026-33323
Parse Server email verification resend page leaks user existence
HIGH 7.5
CVE-2026-33508
Parse Server LiveQuery subscription query depth bypass
HIGH 7.5
CVE-2026-33498
Parse Server has a query condition depth bypass via pre-validation transform pipeline
MEDIUM 6.5
CVE-2026-33421
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
UNKNOWN
CVE-2026-33627
Parse Server exposes auth data via /users/me endpoint
UNKNOWN
CVE-2026-33624
Parse Server: MFA recovery code single-use bypass via concurrent requests
UNKNOWN
CVE-2026-33539
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
UNKNOWN
CVE-2026-33538
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
UNKNOWN
CVE-2026-33042
Parse Server affected by empty authData bypassing credential requirement on signup
MEDIUM 4.3
CVE-2026-32742
Parse Server session creation endpoint allows overwriting server-generated session fields
UNKNOWN
CVE-2026-32943
Parse Server has a password reset token single-use bypass via concurrent requests
UNKNOWN
CVE-2026-32728
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
UNKNOWN
CVE-2026-32886
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
UNKNOWN
CVE-2026-32944
Parse Server crash via deeply nested query condition operators
UNKNOWN
CVE-2026-33163
Parse Server leaks protected fields via LiveQuery afterEvent trigger
UNKNOWN
CVE-2026-32878
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
MEDIUM 5.9
CVE-2026-32770
Parse Server LiveQuery subscription with invalid regular expression crashes server
UNKNOWN
CVE-2026-32594
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
UNKNOWN
CVE-2026-30946
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
UNKNOWN
CVE-2026-32242
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
UNKNOWN
CVE-2026-32248
Parse Server: Account takeover via operator injection in authentication data identifier
UNKNOWN
CVE-2026-32269
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
UNKNOWN
CVE-2026-30938
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
UNKNOWN
CVE-2026-30939
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
UNKNOWN
CVE-2026-30925
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
UNKNOWN
CVE-2026-30854
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
UNKNOWN
CVE-2026-29182
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
UNKNOWN
CVE-2026-30863
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
UNKNOWN
CVE-2026-30228
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
UNKNOWN
CVE-2026-30850
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
UNKNOWN
CVE-2026-30229
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
UNKNOWN
CVE-2026-30848
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
UNKNOWN
CVE-2026-30835
parse-server: Malformed `$regex` query leaks database error details in API response
UNKNOWN
CVE-2026-32234
Parse Server has a SQL injection via query field name when using PostgreSQL
UNKNOWN
CVE-2026-30949
Parse Server missing audience validation in Keycloak authentication adapter
UNKNOWN
CVE-2026-30967
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
UNKNOWN
CVE-2026-31800
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
UNKNOWN
CVE-2026-30941
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
CRITICAL 10.0
CVE-2026-30966
Parse Server has role escalation and CLP bypass via direct `_Join` table write
UNKNOWN
CVE-2026-30962
Parse Server has a protected fields bypass via logical query operators
UNKNOWN
CVE-2026-31828
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
UNKNOWN
CVE-2026-30948
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
UNKNOWN
CVE-2026-30972
Parse Server has a rate limit bypass via batch request endpoint
UNKNOWN
CVE-2026-30965
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
UNKNOWN
CVE-2026-30947
Parse Server has a bypass of class-level permissions in LiveQuery
UNKNOWN
CVE-2026-32098
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
HIGH 7.5
CVE-2019-1020012
Parse Server before v3.4.1 vulnerable to Denial of Service
HIGH 7.7
CVE-2020-26288
Parse Server stores password in plain text
MEDIUM 6.5
CVE-2020-15126
GraphQL: Security breach on Viewer query
HIGH 7.5
CVE-2021-41109
LiveQuery publishes user session tokens in parse-server
MEDIUM 4.8
CVE-2021-39138
parse-server new anonymous user session acts as if it's created with password
MEDIUM 4.3
CVE-2020-15270
receiving subscription objects with deleted session
MEDIUM 5.3
CVE-2019-1020013
Sensitive Data Exposure in parse-server
HIGH 7.5
CVE-2021-39187
Parse Server crashes with query parameter
HIGH 7.7
CVE-2020-5251
Information disclosure in parse-server
UNKNOWN
CVE-2026-31871
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
UNKNOWN
CVE-2026-31840
Parse Server: SQL injection via dot-notation field name in PostgreSQL
UNKNOWN
CVE-2026-31901
Parse Server vulnerable to user enumeration via email verification endpoint
UNKNOWN
CVE-2026-31868
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
UNKNOWN
CVE-2026-31856
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
UNKNOWN
CVE-2026-31875
Parse Server's MFA recovery codes not consumed after use
UNKNOWN
CVE-2026-31872
Parse Server has a protected fields bypass via dot-notation in query and sort
UNKNOWN
CVE-2026-27804
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
UNKNOWN
CVE-2025-68150
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
UNKNOWN
CVE-2025-68115
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
UNKNOWN
CVE-2025-64502
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
HIGH 7.5
CVE-2025-64430
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
MEDIUM 5.3
CVE-2025-53364
Parse Server exposes the data schema via GraphQL API
MEDIUM 6.9
CVE-2025-30168
Parse Server has an OAuth login vulnerability
HIGH 8.1
CVE-2024-47183
Parse Server's custom object ID allows to acquire role privileges
CRITICAL 9.8
CVE-2024-39309
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
CRITICAL 10.0
CVE-2024-27298
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
CRITICAL 9.0
CVE-2024-29027
Server crashes on invalid Cloud Function or Cloud Job name
HIGH 7.5
CVE-2023-46119
Parse Server may crash when uploading file without extension
HIGH 7.5
CVE-2023-41058
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
CRITICAL 9.8
CVE-2023-36475
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
MEDIUM 6.3
CVE-2023-32689
Phishing attack vulnerability by uploading malicious HTML file
HIGH 8.7
CVE-2023-22474
Parse Server option `masterKeyIps` vulnerability to IP spoofing
HIGH 7.2
CVE-2022-41879
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
HIGH 7.2
CVE-2022-41878
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
CRITICAL 9.8
CVE-2022-39396
Remote code execution via MongoDB BSON parser through prototype pollution
HIGH 7.5
CVE-2022-39313
parse-server crashes when receiving file download request with invalid byte range
Ready to move
Start Securing
Free, no credit card | First findings in minutes