These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-61448 is a stored cross-site scripting (XSS) vulnerability in Parse Server versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. The vulnerability occurs when an uploaded file's extension is not recognized by the mime package, allowing a malformed Content-Type to bypass the fileUpload.fileExtensions blocklist and be stored unchanged. On storage adapters that persist and serve the uploaded Content-Ty [truncated]
A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. The vulnerability affects Parse Server prior to 9.9.1-alpha.13 and 8.6.83, and users of Parse Server who util [truncated]
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:50.890Z and has not been modified since then. This vulnerability affects Parse Server, an open-source backend that can be deployed to any infrastructure running Node.js. The vulnerability is related to deeply nested query condition operators that could trigger exponential-time processing an [truncated]
CVE-2026-55778 is a low-severity vulnerability in Parse Server, an open-source backend service. The issue allows attackers to bypass file extension restrictions, potentially leading to stored cross-site scripting (XSS) attacks. This vulnerability was addressed in Parse Server versions 9.9.1-alpha.11 and 8.6.81. Affected deployments should prioritize updating to these versions or later. Although rated low [truncated]
CVE-2026-53726 is a vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not [truncated]
CVE-2026-53725 is a sensitive data exposure vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability affects versions 9.8.0 to before 9.9.1-alpha.5. Apps that enable Multi-Factor Authentication (MFA) and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassw [truncated]
CVE-2026-53724 is a low-severity vulnerability in Parse Server, an open-source backend. The issue allows an attacker to bypass the default file upload extension blocklist by appending a trailing dot to a filename whose extension would otherwise be blocked. This can lead to stored XSS when a victim opens the file URL. The vulnerability has been patched in versions 8.6.79 and 9.9.1-alpha.4.
CVE-2026-50008 is a security bypass vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. However, the check is only enforced as Express middleware against the outer HTTP request URL, [truncated]
CVE-2026-47248 is a vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure running Node.js. The vulnerability affects the GraphQL endpoint, which discloses schema metadata to unauthenticated callers through 'Did you mean ...?' suggestions embedded in GraphQL validation-error messages. This allows an unauthenticated caller with only the public application ID to ite [truncated]
CVE-2026-47138 is a HIGH-severity vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a r [truncated]
A race condition in Parse Server's MFA SMS OTP login path allows two concurrent /login requests with the same OTP to both succeed, violating the single-use property of one-time passwords. The vulnerability exists in versions prior to 8.6.76 and 9.9.0-alpha.2. Exploitation requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g., via SIM swap, network mirror, or [truncated]