Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

parse-community — Vulnerabilities & Security Advisories 110

Browse all 110 CVE security advisories affecting parse-community. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Parse Community provides an open-source backend infrastructure designed to simplify mobile and web application development by offering ready-to-use APIs for data storage, user authentication, and push notifications. This framework allows developers to deploy their own servers, reducing reliance on proprietary third-party services. However, its widespread adoption has made it a frequent target for security researchers, resulting in over 110 recorded Common Vulnerabilities and Exposures (CVEs). Historically, these flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation or insecure default configurations in older versions. While the project maintains an active security response process, the sheer volume of past incidents highlights the complexity of maintaining secure, self-hosted environments. Users are strongly advised to keep installations updated and adhere to strict configuration guidelines to mitigate risks associated with these known vulnerabilities.

Top products by parse-community: parse-server parse-dashboard parse-server-push-adapter Parse-SDK-JS
CVE IDTitleCVSSSeverityPublished
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled — parse-serverCWE-863 5.3 -2026-03-07
CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization — parse-serverCWE-862 5.3 -2026-03-07
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory — parse-serverCWE-22 7.5 -2026-03-07
CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters — parse-serverCWE-287 9.8 -2026-03-07
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response — parse-serverCWE-209 7.5 -2026-03-06
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user — parse-serverCWE-863 9.8 -2026-03-06
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction — parse-serverCWE-863 9.1 -2026-03-06
CVE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction — parse-serverCWE-863 8.1 -2026-03-06
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter — parse-serverCWE-327 9.8AICriticalAI2026-02-25
CVE-2026-27595 Parse Dashboard has incomplete authentication on AI Agent endpoint — parse-dashboardCWE-306 9.1AICriticalAI2026-02-25
CVE-2026-27610 Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions — parse-dashboardCWE-1289 5.3AIMediumAI2026-02-25
CVE-2026-27609 Parse Dashboard Missing CSRF Protection on Agent Endpoint — parse-dashboardCWE-352 8.8AIHighAI2026-02-25
CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint — parse-dashboardCWE-862 8.8AIHighAI2026-02-25
CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter — parse-serverCWE-918 9.1AICriticalAI2025-12-16
CVE-2025-68115 Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables — parse-serverCWE-79 6.1AIMediumAI2025-12-16
CVE-2025-67727 Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management — parse-serverCWE-94 9.8AICriticalAI2025-12-12
CVE-2025-64502 Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details — parse-serverCWE-201 5.3 -2025-11-10
CVE-2025-64430 Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format — parse-serverCWE-918 7.5 High2025-11-07
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs — Parse-SDK-JSCWE-1321 6.4 Medium2025-10-14
CVE-2025-53364 Parse Server exposes the data schema via GraphQL API — parse-serverCWE-497 5.3 Medium2025-07-10
CVE-2025-30168 Parse Server has an OAuth login vulnerability — parse-serverCWE-287 6.9 Medium2025-03-21
CVE-2024-47183 Parse Server's custom object ID allows to acquire role privileges — parse-serverCWE-285 8.1 High2024-10-04
CVE-2024-39309 ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability — parse-serverCWE-288 9.8 Critical2024-07-01
CVE-2024-29027 Parse Server crash and RCE via invalid Cloud Function or Cloud Job name — parse-serverCWE-74 9.1 Critical2024-03-19
CVE-2024-27298 Parse Server literalizeRegexPart SQL Injection — parse-serverCWE-89 10.0 Critical2024-03-01
CVE-2023-46119 Parse Server may crash when uploading file without extension — parse-serverCWE-23 7.5 High2023-10-25
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server — parse-serverCWE-670 7.5 High2023-09-04
CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution — parse-serverCWE-1321 9.8 Critical2023-06-28
CVE-2023-32689 Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file — parse-serverCWE-434 6.3 Medium2023-05-30
CVE-2023-32688 Invalid push request payload crashes Parse Server — parse-server-push-adapterCWE-20 4.9 Medium2023-05-27

This page lists every published CVE security advisory associated with parse-community. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.