pkg:Bitnami/parse

104 total CVEsCRITICAL8HIGH19MEDIUM13LOW2

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2026-30966Parse Server role escalation and CLP bypass via direct `_Join` table write
    from 0, < 8.6.20, >= 9.0.0, < 9.5.2
  • CRITICAL10.0CVE-2024-27298Parse Server literalizeRegexPart SQL Injection
    from 0, < 6.5.0
  • CRITICAL10.0CVE-2022-24760Command Injection in Parse server
    from 0, < 4.10.7
  • CRITICAL9.8CVE-2024-39309ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
    from 0, < 7.2.0
  • CRITICAL9.8CVE-2023-36475Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
    from 0, < 5.5.2, >= 6.0.0, < 6.2.1
  • CRITICAL9.8CVE-2022-39396Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser
    from 0, < 4.10.18, >= 5.0.0, < 5.3.1
  • CRITICAL9.1CVE-2026-33409Parse Server has an auth provider validation bypass on login via partial authData
    from 0, < 8.6.52, >= 9.0.0, < 9.6.0
  • CRITICAL9.0CVE-2024-29027Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
    from 0, < 6.5.5
  • HIGH8.7CVE-2023-22474Parse Server is vulnerable to authentication bypass via spoofing
    from 0, < 5.4.1
  • HIGH8.6CVE-2022-36079Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
    from 0, < 4.10.14, >= 5.0.0, < 5.2.5
  • HIGH8.6CVE-2022-31083Authentication bypass in Parse Server Apple Game Center auth adapter
    from 0, < 4.10.11, >= 5.0.0, < 5.2.2
  • HIGH8.2CVE-2022-31112Protected fields exposed via LiveQuery in parse-server
    from 0, < 4.10.13, >= 5.0.0, < 5.2.4
  • HIGH8.1CVE-2024-47183Parse Server's custom object ID allows to acquire role privileges
    from 0, < 7.3.0
  • HIGH7.7CVE-2020-26288Parse Server stores password in plain text
    from 0, < 4.5.0
  • HIGH7.7CVE-2020-5251Information disclosure in parse-server
    from 0, < 4.1.0
  • HIGH7.5CVE-2026-33508Parse Server LiveQuery subscription query depth bypass
    from 0, < 8.6.56, >= 9.0.0, < 9.6.0
  • HIGH7.5CVE-2026-33498Parse Server has a query condition depth bypass via pre-validation transform pipeline
    from 0, < 8.6.55, >= 9.0.0, < 9.6.0
  • HIGH7.5CVE-2025-64430Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
    >= 4.2.0, < 7.5.4, >= 8.0.0, < 8.4.0
  • HIGH7.5CVE-2023-46119Parse Server may crash when uploading file without extension
    >= 1.0.0, < 5.5.6, >= 6.0.0, < 6.3.1
  • HIGH7.5CVE-2023-41058Trigger `beforeFind` not invoked in internal query pipeline in parse-server
    from 0, < 5.5.5, >= 6.0.0, < 6.2.2
  • HIGH7.5CVE-2022-39313Parse Server crashes when receiving file download request with invalid byte range
    from 0, < 4.10.17, >= 5.0.0, < 5.2.8
  • HIGH7.5CVE-2022-31089Invalid file request can crashe parse-server
    from 0, < 4.10.12, >= 5.0.0, < 5.2.3
  • HIGH7.5CVE-2022-24901Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
    from 0, < 4.10.10, >= 5.0.0, < 5.2.1
  • HIGH7.5CVE-2021-41109LiveQuery publishes user session tokens in parse-server
    from 0, < 4.10.4
  • HIGH7.5CVE-2021-39187Parse Server crashes with query parameter
    from 0, < 4.10.3
  • HIGH7.2CVE-2022-41879Parse Server subject to Prototype pollution via Cloud Code Webhooks
    from 0, < 4.10.20, >= 5.0.0, < 5.3.3
  • HIGH7.2CVE-2022-41878Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers
    from 0, < 4.10.19, >= 5.0.0, < 5.3.2
  • MEDIUM6.9CVE-2025-30168Parse Server has an OAuth login vulnerability
    from 0, < 8.0.2
  • MEDIUM6.5CVE-2026-33421Parse Server's LiveQuery bypasses CLP pointer permission enforcement
    from 0, < 8.6.53, >= 9.0.0, < 9.6.0
  • MEDIUM6.3CVE-2023-32689Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file
    from 0, < 5.4.4, >= 6.0.0, < 6.1.1
  • MEDIUM5.9CVE-2026-32770Parse Server LiveQuery subscription with invalid regular expression crashes server
    from 0, < 8.6.43, >= 9.0.0, < 9.6.0
  • MEDIUM5.3CVE-2026-33429Parse Server has a protected field change detection oracle via LiveQuery watch parameter
    from 0, < 8.6.54, >= 9.0.0, < 9.6.0
  • MEDIUM5.3CVE-2026-33323Parse Server email verification resend page leaks user existence
    from 0, < 8.6.51, >= 9.0.0, < 9.6.0
  • MEDIUM5.3CVE-2025-53364Parse Server exposes the data schema via GraphQL API
    >= 5.3.0, < 8.2.2
  • MEDIUM4.8CVE-2021-39138parse-server new anonymous user session acts as if it's created with password
    from 0, < 4.5.1
  • MEDIUM4.3CVE-2026-39381Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
    >= 7.0.0, < 8.6.75, >= 9.0.0, < 9.8.0
  • MEDIUM4.3CVE-2026-33527Parse Server's Session Update endpoint allows overwriting server-generated session fields
    from 0, < 8.6.57, >= 9.0.0, < 9.6.0
  • MEDIUM4.3CVE-2026-32742Parse Server session creation endpoint allows overwriting server-generated session fields
    from 0, < 8.6.42, >= 9.0.0, < 9.6.0
  • MEDIUM4.3CVE-2022-39225Parse Server subject to Incorrect Resource Transfer Between Spheres
    from 0, < 4.10.15, >= 5.0.0, < 5.2.6
  • MEDIUM4.3CVE-2020-15270receiving subscription objects with deleted session
    from 0, < 4.3.1
  • LOW3.7CVE-2026-39321Parse Server has a login timing side-channel reveals user existence
    from 0, < 8.6.74, >= 9.0.0, < 9.8.0
  • LOW3.7CVE-2022-39231Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented
    from 0, < 4.10.16, >= 5.0.0, < 5.2.7
  • CVE-2026-43930parse-server: MFA SMS one-time password accepted twice under concurrent login
    from 0, < 8.6.76, >= 9.0.0, < 9.9.0
  • CVE-2026-35200Parse Server: File upload Content-Type override via extension mismatch
    from 0, < 8.6.73, >= 9.0.0, < 9.7.1
  • CVE-2026-34784Parser Server's streaming file download bypasses afterFind file trigger authorization
    from 0, < 8.6.71, >= 9.0.0, < 9.7.1
  • CVE-2026-34595Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
    from 0, < 8.6.70, >= 9.0.0, < 9.7.0
  • CVE-2026-34574Parse Server has a session field immutability bypass via falsy-value guard
    from 0, < 8.6.69, >= 9.0.0, < 9.7.0
  • CVE-2026-34573parse-server has GraphQL complexity validator exponential fragment traversal DoS
    from 0, < 8.6.68, >= 9.0.0, < 9.7.0
  • CVE-2026-34532parse-server has cloud function validator bypass via prototype chain traversal
    from 0, < 8.6.67, >= 9.0.0, < 9.7.0
  • CVE-2026-34373GraphQL API endpoint ignores CORS origin restriction
    from 0, < 8.6.66, >= 9.0.0, < 9.7.0
  • CVE-2026-34363LiveQuery protected field leak via shared mutable state across concurrent subscribers
    from 0, < 8.6.65, >= 9.0.0, < 9.7.0
  • CVE-2026-34224Parse Server has an MFA single-use token bypass via concurrent authData login requests
    from 0, < 8.6.64, >= 9.0.0, < 9.7.0
  • CVE-2026-34215Parse Server exposes auth data via verify password endpoint
    from 0, < 8.6.63, >= 9.0.0, < 9.7.0
  • CVE-2026-33627Parse Server exposes auth data via /users/me endpoint
    from 0, < 8.6.61, >= 9.0.0, < 9.6.0
  • CVE-2026-33624Parse Server: MFA recovery code single-use bypass via concurrent requests
    from 0, < 8.6.60, >= 9.0.0, < 9.6.0
  • CVE-2026-33539Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
    from 0, < 8.6.59, >= 9.0.0, < 9.6.0
  • CVE-2026-33538Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
    from 0, < 8.6.58, >= 9.0.0, < 9.6.0
  • CVE-2026-33163Parse Server leaks protected fields via LiveQuery afterEvent trigger
    from 0, < 8.6.50, >= 9.0.0, < 9.6.0
  • CVE-2026-33042Parse Server affected by empty authData bypassing credential requirement on signup
    from 0, < 8.6.49, >= 9.0.0, < 9.6.0
  • CVE-2026-32878Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
    from 0, < 8.6.44, >= 9.0.0, < 9.6.0
  • CVE-2026-32886Parse Server's Cloud function dispatch crashes server via prototype chain traversal
    from 0, < 8.6.47, >= 9.0.0, < 9.6.0
  • CVE-2026-32943Parse Server has a password reset token single-use bypass via concurrent requests
    from 0, < 8.6.48, >= 9.0.0, < 9.6.0
  • CVE-2026-32944Parse Server crash via deeply nested query condition operators
    from 0, < 8.6.45, >= 9.0.0, < 9.6.0
  • CVE-2026-32728Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
    from 0, < 8.6.41, >= 9.0.0, < 9.6.0
  • CVE-2026-32594Parse Server's GraphQL WebSocket endpoint bypasses security middleware
    from 0, < 8.6.40, >= 9.0.0, < 9.6.0
  • CVE-2026-32269Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
    >= 8.0.2, < 8.6.39, >= 9.0.0, < 9.6.0
  • CVE-2026-32248Parse Server: Account takeover via operator injection in authentication data identifier
    from 0, < 8.6.38, >= 9.0.0, < 9.6.0
  • CVE-2026-32242Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
    from 0, < 8.6.37, >= 9.0.0, < 9.6.0
  • CVE-2026-32234Parse Server has a SQL injection via query field name when using PostgreSQL
    from 0, < 8.6.36, >= 9.0.0, < 9.6.0
  • CVE-2026-32098Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
    from 0, < 8.6.35, >= 9.0.0, < 9.6.0
  • CVE-2026-31901Parse Server vulnerable to user enumeration via email verification endpoint
    from 0, < 8.6.34, >= 9.0.0, < 9.6.0
  • CVE-2026-31875Parse Server's MFA recovery codes not consumed after use
    from 0, < 8.6.33, >= 9.0.0, < 9.6.0
  • CVE-2026-31872Parse Server has a protected fields bypass via dot-notation in query and sort
    from 0, < 8.6.32, >= 9.0.0, < 9.6.0
  • CVE-2026-31871Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
    from 0, < 8.6.31, >= 9.0.0, < 9.6.0
  • CVE-2026-31868Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
    from 0, < 8.6.30, >= 9.0.0, < 9.6.0
  • CVE-2026-31856Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
    from 0, < 8.6.29, >= 9.0.0, < 9.6.0
  • CVE-2026-31828Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction
    from 0, < 8.6.26, >= 9.0.0, < 9.5.2
  • CVE-2026-31800Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
    from 0, < 8.6.25, >= 9.0.0, < 9.5.2
  • CVE-2026-30972Parse Server has a rate limit bypass via batch request endpoint
    from 0, < 8.6.23, >= 9.0.0, < 9.5.2
  • CVE-2026-30967Parse Server OAuth2 authentication adapter account takeover via identity spoofing
    from 0, < 8.6.22, >= 9.0.0, < 9.5.2
  • CVE-2026-30965Parse Server session token exfiltration via `redirectClassNameForKey` query parameter
    from 0, < 8.6.21, >= 9.0.0, < 9.5.2
  • CVE-2026-30962Parse Server has a protected fields bypass via logical query operators
    from 0, < 8.6.19, >= 9.0.0, < 9.5.2
  • CVE-2026-30949Parse Server is missing audience validation in Keycloak authentication adapter
    from 0, < 8.6.18, >= 9.0.0, < 9.5.2
  • CVE-2026-30948Parse Server has stored cross-site scripting (XSS) via SVG file upload
    from 0, < 8.6.17, >= 9.0.0, < 9.5.2
  • CVE-2026-30947Parse Server ha a bypass of class-level permissions in LiveQuery
    from 0, < 8.6.16, >= 9.0.0, < 9.5.2
  • CVE-2026-30946Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
    from 0, < 8.6.15, >= 9.0.0, < 9.5.2
  • CVE-2026-30941Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
    from 0, < 8.6.14, >= 9.0.0, < 9.5.2
  • CVE-2026-31840Parse Server: SQL injection via dot-notation field name in PostgreSQL
    from 0, < 8.6.28, >= 9.0.0, < 9.6.0
  • CVE-2026-30939Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
    from 0, < 8.6.13, >= 9.0.0, < 9.5.1
  • CVE-2026-30938Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
    from 0, < 8.6.12, >= 9.0.0, < 9.5.1
  • CVE-2026-30925Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
    from 0, < 8.6.11, >= 9.0.0, < 9.5.0
  • CVE-2026-30863Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
    from 0, < 9.5.0
  • CVE-2026-30854Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
    >= 9.3.1, < 9.5.0
  • CVE-2026-30850Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
    from 0, < 9.5.0
  • CVE-2026-30848Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
    from 0, < 9.5.0
  • CVE-2026-30835parse-server: Malformed `$regex` query leaks database error details in API response
    from 0, < 9.5.0
  • CVE-2026-30229parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
    from 0, < 9.5.0
  • CVE-2026-30228parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
    from 0, < 9.5.0
  • CVE-2026-29182Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
    from 0, < 9.4.1
  • CVE-2026-27804Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
    from 0, < 8.6.3, >= 9.0.0, < 9.3.1
  • CVE-2025-67727Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
    from 0, < 8.6.0
  • CVE-2025-68150Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
    from 0, < 8.6.2, >= 9.0.0, < 9.1.1
  • CVE-2025-68115Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables
    from 0, < 8.6.1, >= 9.0.0, < 9.1.0
  • CVE-2025-64502Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
    from 0, < 8.5.0