Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

94 advisories

Loading
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers Moderate
CVE-2026-47248 was published for parse-server (npm) May 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value Moderate
CVE-2026-34595 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
Parse Server has a session field immutability bypass via falsy-value guard Moderate
CVE-2026-34574 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has GraphQL complexity validator exponential fragment traversal DoS High
CVE-2026-34573 was published for parse-server (npm) Mar 31, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
LiveQuery protected field leak via shared mutable state across concurrent subscribers High
CVE-2026-34363 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server's Session Update endpoint allows overwriting server-generated session fields Moderate
CVE-2026-33527 was published for parse-server (npm) Mar 24, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server LiveQuery subscription query depth bypass High
CVE-2026-33508 was published for parse-server (npm) Mar 20, 2026
mith36 Credited to mith36 and mtrezza mtrezza mtrezza
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
Parse Server has a protected field change detection oracle via LiveQuery watch parameter Moderate
CVE-2026-33429 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database