Parse-server

This hub aggregates every CVE we track for Parse-server, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Parse-server.

• CVE-2026-43930Parse Server: MFA SMS one-time password accepted twice under concurrent login5.9May 12, 2026
• CVE-2026-39381Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`4.3Apr 7, 2026
• CVE-2026-39321Parse Server has a login timing side-channel reveals user existence3.7Apr 7, 2026
• CVE-2026-35200Parse Server has a file upload Content-Type override via extension mismatch5.4Apr 6, 2026
• CVE-2026-34784Parse Server: Streaming file download bypasses afterFind file trigger authorization7.5Mar 31, 2026
• CVE-2026-34215Parse Server: Auth data exposed via verify password endpoint6.5Mar 31, 2026
• CVE-2026-34595Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value4.3Mar 31, 2026
• CVE-2026-34574Parse Server: Session field immutability bypass via falsy-value guard5.4Mar 31, 2026
• CVE-2026-34573Parse Server: GraphQL complexity validator exponential fragment traversal DoS7.5Mar 31, 2026
• CVE-2026-34532Parse Server: Cloud function validator bypass via prototype chain traversal9.1Mar 31, 2026
• CVE-2026-34373Parse Server: GraphQL API endpoint ignores CORS origin restriction8.8Mar 31, 2026
• CVE-2026-34363Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers5.3Mar 31, 2026
• CVE-2026-34224Parse Server: MFA single-use token bypass via concurrent authData login requests4.4Mar 31, 2026
• CVE-2026-33627Parse Server: Auth data exposed via /users/me endpoint6.5Mar 24, 2026
• CVE-2026-33624Parse Server: MFA recovery code single-use bypass via concurrent requests2.7Mar 24, 2026