CRITICAL10.0CVE-2026-30966Parse Server has role escalation and CLP bypass via direct `_Join` table write >= 9.0.0-alpha.1, < 9.5.2-alpha.7
CRITICAL10.0CVE-2024-27298ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection from 0, < 6.5.0
CRITICAL10.0Command injection in Parse Server through prototype pollution
from 0, < 4.10.7
CRITICAL9.8ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
from 0, < 6.5.7
CRITICAL9.8Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
from 0, < 5.5.2
CRITICAL9.8Remote code execution via MongoDB BSON parser through prototype pollution
from 0, < 4.10.18
CRITICAL9.1Parse Server has an auth provider validation bypass on login via partial authData
>= 9.0.0, < 9.6.0-alpha.41
CRITICAL9.0Server crashes on invalid Cloud Function or Cloud Job name
from 0, < 6.5.5
HIGH8.7Parse Server option `masterKeyIps` vulnerability to IP spoofing
from 0, < 5.4.1
HIGH8.6Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
from 0, < 4.10.14
HIGH8.6Authentication bypass vulnerability in Apple Game Center auth adapter
from 0, < 4.10.11
HIGH8.2Protected fields exposed via LiveQuery
from 0, < 4.10.13
HIGH8.1Parse Server's custom object ID allows to acquire role privileges
from 0, < 6.5.9
HIGH7.7Parse Server stores password in plain text
from 0, < 4.5.0
HIGH7.7Information disclosure in parse-server
from 0, < 4.1.0
HIGH7.5Parse Server LiveQuery subscription query depth bypass
>= 9.0.0, < 9.6.0-alpha.45
HIGH7.5Parse Server has a query condition depth bypass via pre-validation transform pipeline
>= 9.0.0, < 9.6.0-alpha.44
HIGH7.5Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
>= 4.2.0, < 7.5.4
HIGH7.5Parse Server may crash when uploading file without extension
>= 1.0.0, < 5.5.6
HIGH7.5Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
>= 1.0.0, < 5.5.5
HIGH7.5parse-server crashes when receiving file download request with invalid byte range
from 0, < 4.10.17
HIGH7.5Invalid file request can crash server
from 0, < 4.10.12
HIGH7.5Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
from 0, < 4.10.10
HIGH7.5LiveQuery publishes user session tokens in parse-server
from 0, < 4.10.4
HIGH7.5Parse Server crashes with query parameter
from 0, < 4.10.3
HIGH7.5Parse Server before v3.4.1 vulnerable to Denial of Service
from 0, < 3.4.1
HIGH7.2Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
from 0, < 4.10.20
HIGH7.2Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
from 0, < 4.10.19
MEDIUM6.9Parse Server has an OAuth login vulnerability
from 0, < 7.5.2
MEDIUM6.5Parse Server's LiveQuery bypasses CLP pointer permission enforcement
>= 9.0.0, < 9.6.0-alpha.42
MEDIUM6.5GraphQL: Security breach on Viewer query
>= 3.5.0, < 4.3.0
MEDIUM6.3Phishing attack vulnerability by uploading malicious HTML file
from 0, < 5.4.4
MEDIUM5.9Parse Server LiveQuery subscription with invalid regular expression crashes server
>= 9.0.0, < 9.6.0-alpha.19
MEDIUM5.3Parse Server has a protected field change detection oracle via LiveQuery watch parameter
>= 9.0.0, < 9.6.0-alpha.43
MEDIUM5.3Parse Server email verification resend page leaks user existence
>= 9.0.0, < 9.6.0-alpha.40
MEDIUM5.3Parse Server exposes the data schema via GraphQL API
>= 8.0.0, < 8.2.2
MEDIUM5.3Sensitive Data Exposure in parse-server
from 0, < 3.6.0
MEDIUM4.8parse-server new anonymous user session acts as if it's created with password
from 0, < 4.5.2
MEDIUM4.3Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
>= 9.0.0, < 9.8.0-alpha.7
MEDIUM4.3Parse Server's Session Update endpoint allows overwriting server-generated session fields
>= 9.0.0, < 9.6.0-alpha.48
MEDIUM4.3Parse Server session creation endpoint allows overwriting server-generated session fields
>= 9.0.0, < 9.6.0-alpha.17
MEDIUM4.3parse-server's session object properties can be updated by foreign user if object ID is known
from 0, < 4.10.15
MEDIUM4.3receiving subscription objects with deleted session
from 0, < 4.4.0
LOW3.7Parse Server has a login timing side-channel reveals user existence
>= 9.0.0, < 9.8.0-alpha.6
LOW3.7parse-server auth adapter app ID validation can be circumvented
from 0, < 4.10.16
—Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
>= 9.0.0, < 9.9.1-alpha.2
—Parse Server: Pre-authentication denial of service via client version header regex backtracking
>= 9.0.0, < 9.9.1-alpha.1
—parse-server: MFA SMS one-time password accepted twice under concurrent login
>= 9.0.0, < 9.9.0-alpha.2
—Parse Server: File upload Content-Type override via extension mismatch
>= 9.0.0, < 9.7.1-alpha.4
—Parser Server's streaming file download bypasses afterFind file trigger authorization
>= 9.0.0, < 9.7.1-alpha.1
—Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
>= 9.0.0, < 9.7.0-alpha.16
—Parse Server has a session field immutability bypass via falsy-value guard
>= 9.0.0, < 9.7.0-alpha.14
—parse-server has GraphQL complexity validator exponential fragment traversal DoS
>= 9.0.0, < 9.7.0-alpha.12
—parse-server has cloud function validator bypass via prototype chain traversal
>= 9.0.0, < 9.7.0-alpha.11
—GraphQL API endpoint ignores CORS origin restriction
>= 9.0.0, < 9.7.0-alpha.10
—LiveQuery protected field leak via shared mutable state across concurrent subscribers
>= 9.0.0, < 9.7.0-alpha.9
—Parse Server has an MFA single-use token bypass via concurrent authData login requests
>= 9.0.0, < 9.7.0-alpha.8
—Parse Server exposes auth data via verify password endpoint
>= 9.0.0, < 9.7.0-alpha.7
—Parse Server exposes auth data via /users/me endpoint
>= 9.0.0, < 9.6.0-alpha.55
—Parse Server: MFA recovery code single-use bypass via concurrent requests
>= 9.0.0, < 9.6.0-alpha.54
—Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
>= 9.0.0, < 9.6.0-alpha.53
—Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
>= 9.0.0, < 9.6.0-alpha.52
—Parse Server leaks protected fields via LiveQuery afterEvent trigger
>= 9.0.0, < 9.6.0-alpha.35
—Parse Server affected by empty authData bypassing credential requirement on signup
>= 9.0.0, < 9.6.0-alpha.29
—Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
>= 9.0.0, < 9.6.0-alpha.20
—Parse Server's Cloud function dispatch crashes server via prototype chain traversal
>= 9.0.0, < 9.6.0-alpha.24
—Parse Server has a password reset token single-use bypass via concurrent requests
>= 9.0.0, < 9.6.0-alpha.28
—Parse Server crash via deeply nested query condition operators
>= 9.0.0, < 9.6.0-alpha.21
—Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
>= 9.0.0, < 9.6.0-alpha.15
—Parse Server's GraphQL WebSocket endpoint bypasses security middleware
>= 9.0.0, < 9.6.0-alpha.14
—Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
>= 9.0.0, < 9.6.0-alpha.13
—Parse Server: Account takeover via operator injection in authentication data identifier
>= 9.0.0, < 9.6.0-alpha.12
—Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
>= 9.0.0, < 9.6.0-alpha.11
—Parse Server has a SQL injection via query field name when using PostgreSQL
>= 9.0.0, < 9.6.0-alpha.10
—Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
>= 9.0.0, < 9.6.0-alpha.9
—Parse Server vulnerable to user enumeration via email verification endpoint
>= 9.0.0-alpha.1, < 9.6.0-alpha.8
—Parse Server's MFA recovery codes not consumed after use
>= 9.0.0-alpha.1, < 9.6.0-alpha.7
—Parse Server has a protected fields bypass via dot-notation in query and sort
>= 9.0.0-alpha.1, < 9.6.0-alpha.6
—Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
>= 9.0.0-alpha.1, < 9.6.0-alpha.5
—Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
>= 9.0.0-alpha.1, < 9.6.0-alpha.4
—Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
>= 9.0.0-alpha.1, < 9.6.0-alpha.3
—Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
>= 9.0.0-alpha.1, < 9.5.2-alpha.13
—Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
>= 9.0.0-alpha.1, < 9.5.2-alpha.12
—Parse Server has a rate limit bypass via batch request endpoint
>= 9.0.0-alpha.1, < 9.5.2-alpha.10
—Parse Server OAuth2 authentication adapter account takeover via identity spoofing
>= 9.0.0-alpha.1, < 9.5.2-alpha.9
—Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
>= 9.0.0-alpha.1, < 9.5.2-alpha.8
—Parse Server has a protected fields bypass via logical query operators
>= 9.0.0, < 9.5.2-alpha.6
—Parse Server missing audience validation in Keycloak authentication adapter
>= 9.0.0, < 9.5.2-alpha.5
—Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
>= 9.0.0, < 9.5.2-alpha.4
—Parse Server has a bypass of class-level permissions in LiveQuery
>= 9.0.0, < 9.5.2-alpha.3
—Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
from 0, < 8.6.15
—Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
>= 9.0.0, < 9.5.2-alpha.1
—Parse Server: SQL injection via dot-notation field name in PostgreSQL
>= 9.0.0, < 9.6.0-alpha.2
—Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
from 0, < 8.6.13
—Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
from 0, < 8.6.12
—Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
>= 9.0.0-alpha.1, < 9.5.0-alpha.14
—Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
>= 9.0.0-alpha.1, < 9.5.0-alpha.11
—Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
>= 9.3.1-alpha.3, < 9.5.0-alpha.10
—Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
from 0, < 8.6.9
—Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
from 0, < 8.6.8