GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
13 advisories
Parse Server affected by empty authData bypassing credential requirement on signup
Moderate
CVE-2026-33042
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server LiveQuery subscription with invalid regular expression crashes server
Moderate
CVE-2026-32770
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
High
CVE-2026-32886
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server has a password reset token single-use bypass via concurrent requests
Low
GHSA-r3xq-68wh-gwvh
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
High
CVE-2026-32728
was published
for
parse-server
(npm)
Mar 16, 2026
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Moderate
CVE-2026-32594
was published
for
parse-server
(npm)
Mar 13, 2026
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Moderate
CVE-2026-32269
was published
for
parse-server
(npm)
Mar 13, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Moderate
CVE-2026-30854
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Moderate
CVE-2026-30848
was published
for
parse-server
(npm)
Mar 9, 2026
parse-server: Malformed `$regex` query leaks database error details in API response
Moderate
CVE-2026-30835
was published
for
parse-server
(npm)
Mar 6, 2026
ProTip!
Advisories are also available from the
GraphQL API