Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

parse-community — Vulnerabilities & Security Advisories 110

Browse all 110 CVE security advisories affecting parse-community. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Parse Community provides an open-source backend infrastructure designed to simplify mobile and web application development by offering ready-to-use APIs for data storage, user authentication, and push notifications. This framework allows developers to deploy their own servers, reducing reliance on proprietary third-party services. However, its widespread adoption has made it a frequent target for security researchers, resulting in over 110 recorded Common Vulnerabilities and Exposures (CVEs). Historically, these flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation or insecure default configurations in older versions. While the project maintains an active security response process, the sheer volume of past incidents highlights the complexity of maintaining secure, self-hosted environments. Users are strongly advised to keep installations updated and adhere to strict configuration guidelines to mitigate risks associated with these known vulnerabilities.

Top products by parse-community: parse-server parse-dashboard parse-server-push-adapter Parse-SDK-JS
CVE IDTitleCVSSSeverityPublished
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields — parse-serverCWE-915 4.3 Medium2026-03-18
CVE-2026-32728 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries — parse-serverCWE-79 9.8 -2026-03-18
CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware — parse-serverCWE-306 9.1AICriticalAI2026-03-13
CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint — parse-serverCWE-683 9.4AICriticalAI2026-03-12
CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier — parse-serverCWE-943 7.4AIHighAI2026-03-12
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance — parse-serverCWE-362 8.2AIHighAI2026-03-12
CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL — parse-serverCWE-89 8.8AIHighAI2026-03-11
CVE-2026-32098 Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause — parse-serverCWE-200 7.5AIHighAI2026-03-11
CVE-2026-31901 Parse Server has user enumeration via email verification endpoint — parse-serverCWE-204 5.3AIMediumAI2026-03-11
CVE-2026-31875 Parse Server MFA recovery codes not consumed after use — parse-serverCWE-672 8.1AIHighAI2026-03-11
CVE-2026-31872 Parse Server has a protected fields bypass via dot-notation in query and sort — parse-serverCWE-284 5.3AIMediumAI2026-03-11
CVE-2026-31871 Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL — parse-serverCWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types — parse-serverCWE-79 7.6AIHighAI2026-03-11
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL — parse-serverCWE-89 9.1AICriticalAI2026-03-11
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL — parse-serverCWE-89 9.8AICriticalAI2026-03-11
CVE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction — parse-serverCWE-90 8.8AIHighAI2026-03-10
CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes — parse-serverCWE-862 9.8AICriticalAI2026-03-10
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint — parse-serverCWE-799 5.3AIMediumAI2026-03-10
CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing — parse-serverCWE-287 9.8AICriticalAI2026-03-10
CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write — parse-serverCWE-284 10.0 Critical2026-03-10
CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter — parse-serverCWE-863 8.1AIHighAI2026-03-10
CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators — parse-serverCWE-284 6.5AIMediumAI2026-03-10
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter — parse-serverCWE-287 9.1AICriticalAI2026-03-10
CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload — parse-serverCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery — parse-serverCWE-863 7.5AIHighAI2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-serverCWE-770 7.5AIHighAI2026-03-10
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints — parse-serverCWE-943 9.8AICriticalAI2026-03-10
CVE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution — parse-serverCWE-1321 7.5AIHighAI2026-03-10
CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement — parse-serverCWE-693 9.1AICriticalAI2026-03-10
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery — parse-serverCWE-1333 7.5AIHighAI2026-03-09

This page lists every published CVE security advisory associated with parse-community. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.