PatchSiren

parse-community CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW parse-community CVE published 2026-07-11

CVE-2026-61448

CVE-2026-61448 is a stored cross-site scripting (XSS) vulnerability in Parse Server versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. The vulnerability occurs when an uploaded file's extension is not recognized by the mime package, allowing a malformed Content-Type to bypass the fileUpload.fileExtensions blocklist and be stored unchanged. On storage adapters that persist and serve the uploaded Content-Ty [truncated]

LOW parse-community CVE published 2026-07-08

CVE-2026-57481

A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. The vulnerability affects Parse Server prior to 9.9.1-alpha.13 and 8.6.83, and users of Parse Server who util [truncated]

HIGH parse-community CVE published 2026-07-08

CVE-2026-57480

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:50.890Z and has not been modified since then. This vulnerability affects Parse Server, an open-source backend that can be deployed to any infrastructure running Node.js. The vulnerability is related to deeply nested query condition operators that could trigger exponential-time processing an [truncated]

LOW parse-community CVE published 2026-07-08

CVE-2026-55778

CVE-2026-55778 is a low-severity vulnerability in Parse Server, an open-source backend service. The issue allows attackers to bypass file extension restrictions, potentially leading to stored cross-site scripting (XSS) attacks. This vulnerability was addressed in Parse Server versions 9.9.1-alpha.11 and 8.6.81. Affected deployments should prioritize updating to these versions or later. Although rated low [truncated]

MEDIUM parse-community CVE published 2026-06-12

CVE-2026-53726

CVE-2026-53726 is a vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not [truncated]

MEDIUM parse-community CVE published 2026-06-12

CVE-2026-53725

CVE-2026-53725 is a sensitive data exposure vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability affects versions 9.8.0 to before 9.9.1-alpha.5. Apps that enable Multi-Factor Authentication (MFA) and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassw [truncated]

LOW parse-community CVE published 2026-06-12

CVE-2026-53724

CVE-2026-53724 is a low-severity vulnerability in Parse Server, an open-source backend. The issue allows an attacker to bypass the default file upload extension blocklist by appending a trailing dot to a filename whose extension would otherwise be blocked. This can lead to stored XSS when a victim opens the file URL. The vulnerability has been patched in versions 8.6.79 and 9.9.1-alpha.4.

MEDIUM parse-community CVE published 2026-06-12

CVE-2026-50008

CVE-2026-50008 is a security bypass vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. However, the check is only enforced as Express middleware against the outer HTTP request URL, [truncated]

MEDIUM parse-community CVE published 2026-06-12

CVE-2026-47248

CVE-2026-47248 is a vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure running Node.js. The vulnerability affects the GraphQL endpoint, which discloses schema metadata to unauthenticated callers through 'Did you mean ...?' suggestions embedded in GraphQL validation-error messages. This allows an unauthenticated caller with only the public application ID to ite [truncated]

HIGH parse-community CVE published 2026-06-12

CVE-2026-47138

CVE-2026-47138 is a HIGH-severity vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a r [truncated]

LOW parse-community CVE published 2026-05-12

CVE-2026-43930

A race condition in Parse Server's MFA SMS OTP login path allows two concurrent /login requests with the same OTP to both succeed, violating the single-use property of one-time passwords. The vulnerability exists in versions prior to 8.6.76 and 9.9.0-alpha.2. Exploitation requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g., via SIM swap, network mirror, or [truncated]