CRITICAL10.0CVE-2026-30966Parse Server has role escalation and CLP bypass via direct `_Join` table write from 0, < 8.6.20, >= 9.0.0, < 9.5.2
CRITICAL10.0CVE-2024-27298ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection from 0, < 6.5.0
CRITICAL10.0Command injection in Parse Server through prototype pollution
from 0, < 4.10.7
CRITICAL9.8ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
from 0, < 7.2.0
CRITICAL9.8Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
from 0, < 5.5.2, >= 6.0.0, < 6.2.1
CRITICAL9.8Remote code execution via MongoDB BSON parser through prototype pollution
from 0, < 4.10.18, >= 5.0.0, < 5.3.1
CRITICAL9.1Parse Server has an auth provider validation bypass on login via partial authData
from 0, < 8.6.52, >= 9.0.0, < 9.6.0
CRITICAL9.0Server crashes on invalid Cloud Function or Cloud Job name
from 0, < 6.5.5
HIGH8.7Parse Server option `masterKeyIps` vulnerability to IP spoofing
from 0, < 5.4.1
HIGH8.6Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
from 0, < 4.10.14, >= 5.0.0, < 5.2.5
HIGH8.6Authentication bypass vulnerability in Apple Game Center auth adapter
from 0, < 4.10.11, >= 5.0.0, < 5.2.2
HIGH8.2Protected fields exposed via LiveQuery
from 0, < 4.10.13, >= 5.0.0, < 5.2.4
HIGH8.1Parse Server's custom object ID allows to acquire role privileges
from 0, < 7.3.0
HIGH7.7Parse Server stores password in plain text
from 0, < 4.5.0
HIGH7.7Information disclosure in parse-server
from 0, < 4.1.0
HIGH7.5Parse Server LiveQuery subscription query depth bypass
from 0, < 8.6.56, >= 9.0.0, < 9.6.0
HIGH7.5Parse Server has a query condition depth bypass via pre-validation transform pipeline
from 0, < 8.6.55, >= 9.0.0, < 9.6.0
HIGH7.5Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
>= 4.2.0, < 7.5.4, >= 8.0.0, < 8.4.0
HIGH7.5Parse Server may crash when uploading file without extension
>= 1.0.0, < 5.5.6, >= 6.0.0, < 6.3.1
HIGH7.5Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
from 0, < 5.5.5, >= 6.0.0, < 6.2.2
HIGH7.5parse-server crashes when receiving file download request with invalid byte range
from 0, < 4.10.17, >= 5.0.0, < 5.2.8
HIGH7.5Invalid file request can crash server
from 0, < 4.10.12, >= 5.0.0, < 5.2.3
HIGH7.5Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
from 0, < 4.10.10, >= 5.0.0, < 5.2.1
HIGH7.5LiveQuery publishes user session tokens in parse-server
from 0, < 4.10.4
HIGH7.5Parse Server crashes with query parameter
from 0, < 4.10.3
HIGH7.2Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
from 0, < 4.10.20, >= 5.0.0, < 5.3.3
HIGH7.2Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
from 0, < 4.10.19, >= 5.0.0, < 5.3.2
MEDIUM6.9Parse Server has an OAuth login vulnerability
from 0, < 8.0.2
MEDIUM6.5Parse Server's LiveQuery bypasses CLP pointer permission enforcement
from 0, < 8.6.53, >= 9.0.0, < 9.6.0
MEDIUM6.3Phishing attack vulnerability by uploading malicious HTML file
from 0, < 5.4.4, >= 6.0.0, < 6.1.1
MEDIUM5.9Parse Server LiveQuery subscription with invalid regular expression crashes server
from 0, < 8.6.43, >= 9.0.0, < 9.6.0
MEDIUM5.3Parse Server has a protected field change detection oracle via LiveQuery watch parameter
from 0, < 8.6.54, >= 9.0.0, < 9.6.0
MEDIUM5.3Parse Server email verification resend page leaks user existence
from 0, < 8.6.51, >= 9.0.0, < 9.6.0
MEDIUM5.3Parse Server exposes the data schema via GraphQL API
>= 5.3.0, < 8.2.2
MEDIUM4.8parse-server new anonymous user session acts as if it's created with password
from 0, < 4.5.1
MEDIUM4.3Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
>= 7.0.0, < 8.6.75, >= 9.0.0, < 9.8.0
MEDIUM4.3Parse Server's Session Update endpoint allows overwriting server-generated session fields
from 0, < 8.6.57, >= 9.0.0, < 9.6.0
MEDIUM4.3Parse Server session creation endpoint allows overwriting server-generated session fields
from 0, < 8.6.42, >= 9.0.0, < 9.6.0
MEDIUM4.3parse-server's session object properties can be updated by foreign user if object ID is known
from 0, < 4.10.15, >= 5.0.0, < 5.2.6
MEDIUM4.3receiving subscription objects with deleted session
from 0, < 4.3.1
LOW3.7Parse Server has a login timing side-channel reveals user existence
from 0, < 8.6.74, >= 9.0.0, < 9.8.0
LOW3.7parse-server auth adapter app ID validation can be circumvented
from 0, < 4.10.16, >= 5.0.0, < 5.2.7
—parse-server: MFA SMS one-time password accepted twice under concurrent login
from 0, < 8.6.76, >= 9.0.0, < 9.9.0
—Parse Server: File upload Content-Type override via extension mismatch
from 0, < 8.6.73, >= 9.0.0, < 9.7.1
—Parser Server's streaming file download bypasses afterFind file trigger authorization
from 0, < 8.6.71, >= 9.0.0, < 9.7.1
—Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
from 0, < 8.6.70, >= 9.0.0, < 9.7.0
—Parse Server has a session field immutability bypass via falsy-value guard
from 0, < 8.6.69, >= 9.0.0, < 9.7.0
—parse-server has GraphQL complexity validator exponential fragment traversal DoS
from 0, < 8.6.68, >= 9.0.0, < 9.7.0
—parse-server has cloud function validator bypass via prototype chain traversal
from 0, < 8.6.67, >= 9.0.0, < 9.7.0
—GraphQL API endpoint ignores CORS origin restriction
from 0, < 8.6.66, >= 9.0.0, < 9.7.0
—LiveQuery protected field leak via shared mutable state across concurrent subscribers
from 0, < 8.6.65, >= 9.0.0, < 9.7.0
—Parse Server has an MFA single-use token bypass via concurrent authData login requests
from 0, < 8.6.64, >= 9.0.0, < 9.7.0
—Parse Server exposes auth data via verify password endpoint
from 0, < 8.6.63, >= 9.0.0, < 9.7.0
—Parse Server exposes auth data via /users/me endpoint
from 0, < 8.6.61, >= 9.0.0, < 9.6.0
—Parse Server: MFA recovery code single-use bypass via concurrent requests
from 0, < 8.6.60, >= 9.0.0, < 9.6.0
—Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
from 0, < 8.6.59, >= 9.0.0, < 9.6.0
—Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
from 0, < 8.6.58, >= 9.0.0, < 9.6.0
—Parse Server leaks protected fields via LiveQuery afterEvent trigger
from 0, < 8.6.50, >= 9.0.0, < 9.6.0
—Parse Server affected by empty authData bypassing credential requirement on signup
from 0, < 8.6.49, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
from 0, < 8.6.44, >= 9.0.0, < 9.6.0
—Parse Server's Cloud function dispatch crashes server via prototype chain traversal
from 0, < 8.6.47, >= 9.0.0, < 9.6.0
—Parse Server has a password reset token single-use bypass via concurrent requests
from 0, < 8.6.48, >= 9.0.0, < 9.6.0
—Parse Server crash via deeply nested query condition operators
from 0, < 8.6.45, >= 9.0.0, < 9.6.0
—Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
from 0, < 8.6.41, >= 9.0.0, < 9.6.0
—Parse Server's GraphQL WebSocket endpoint bypasses security middleware
from 0, < 8.6.40, >= 9.0.0, < 9.6.0
—Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
>= 8.0.2, < 8.6.39, >= 9.0.0, < 9.6.0
—Parse Server: Account takeover via operator injection in authentication data identifier
from 0, < 8.6.38, >= 9.0.0, < 9.6.0
—Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
from 0, < 8.6.37, >= 9.0.0, < 9.6.0
—Parse Server has a SQL injection via query field name when using PostgreSQL
from 0, < 8.6.36, >= 9.0.0, < 9.6.0
—Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
from 0, < 8.6.35, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to user enumeration via email verification endpoint
from 0, < 8.6.34, >= 9.0.0, < 9.6.0
—Parse Server's MFA recovery codes not consumed after use
from 0, < 8.6.33, >= 9.0.0, < 9.6.0
—Parse Server has a protected fields bypass via dot-notation in query and sort
from 0, < 8.6.32, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
from 0, < 8.6.31, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
from 0, < 8.6.30, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
from 0, < 8.6.29, >= 9.0.0, < 9.6.0
—Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
from 0, < 8.6.26, >= 9.0.0, < 9.5.2
—Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
from 0, < 8.6.25, >= 9.0.0, < 9.5.2
—Parse Server has a rate limit bypass via batch request endpoint
from 0, < 8.6.23, >= 9.0.0, < 9.5.2
—Parse Server OAuth2 authentication adapter account takeover via identity spoofing
from 0, < 8.6.22, >= 9.0.0, < 9.5.2
—Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
from 0, < 8.6.21, >= 9.0.0, < 9.5.2
—Parse Server has a protected fields bypass via logical query operators
from 0, < 8.6.19, >= 9.0.0, < 9.5.2
—Parse Server missing audience validation in Keycloak authentication adapter
from 0, < 8.6.18, >= 9.0.0, < 9.5.2
—Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
from 0, < 8.6.17, >= 9.0.0, < 9.5.2
—Parse Server has a bypass of class-level permissions in LiveQuery
from 0, < 8.6.16, >= 9.0.0, < 9.5.2
—Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
from 0, < 8.6.15, >= 9.0.0, < 9.5.2
—Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
from 0, < 8.6.14, >= 9.0.0, < 9.5.2
—Parse Server: SQL injection via dot-notation field name in PostgreSQL
from 0, < 8.6.28, >= 9.0.0, < 9.6.0
—Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
from 0, < 8.6.13, >= 9.0.0, < 9.5.1
—Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
from 0, < 8.6.12, >= 9.0.0, < 9.5.1
—Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
from 0, < 8.6.11, >= 9.0.0, < 9.5.0
—Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
from 0, < 9.5.0
—Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
>= 9.3.1, < 9.5.0
—Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
from 0, < 9.5.0
—Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
from 0, < 9.5.0
—parse-server: Malformed `$regex` query leaks database error details in API response
from 0, < 9.5.0
—parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
from 0, < 9.5.0
—parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
from 0, < 9.5.0
—Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
from 0, < 9.4.1
—Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
from 0, < 8.6.3, >= 9.0.0, < 9.3.1
—Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
from 0, < 8.6.0
—Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
from 0, < 8.6.2, >= 9.0.0, < 9.1.1
—Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
from 0, < 8.6.1, >= 9.0.0, < 9.1.0
—Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
from 0, < 8.5.0