parse-server
npm57 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting parse-serverpage 2 of 2
- CVE-2026-50008MEDIUMCVSS 6.9EG 6.9✓ Fixed in 9.9.1-alpha.32026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured l…
- CVE-2026-53724LOWCVSS 2.1EG 2.1✓ Fixed in 8.6.792026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to …
- CVE-2026-53725MEDIUMCVSS 5.9EG 5.9✓ Fixed in 9.9.1-alpha.52026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions co…
- CVE-2026-53726MEDIUMCVSS 6.9EG 6.9✓ Fixed in 8.6.802026-06-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation fiel…
- CVE-2026-55778LOWCVSS 2.1EG 2.1✓ Fixed in 8.6.812026-06-19
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-st…
- CVE-2026-57480HIGHCVSS 8.7EG 8.7✓ Fixed in 9.9.1-alpha.122026-07-08
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query hand…
- CVE-2026-57481LOWCVSS 2.3EG 2.3✓ Fixed in 9.9.1-alpha.132026-07-08
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a si…
Check whether parse-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for parse-server CVEs against the assets you own.
Start Free Scan →