Security: parse-community/parse-server
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is deniedGHSA-75v4-m273-5j49 published
Jun 3, 2026 by mtrezzaModerate -
Stored XSS via trailing-dot filename bypassing file upload extension blocklistGHSA-7wqv-xjf3-x35v published
Jun 1, 2026 by mtrezzaLow -
Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACLGHSA-wmwx-jr2p-4j4r published
Jun 4, 2026 by mtrezzaModerate -
Server option routeAllowList is bypassable through batch sub-requestsGHSA-p84r-h6rx-f2xr published
May 27, 2026 by mtrezzaModerate -
Pre-authentication denial of service via client version header regex backtrackingGHSA-38m6-82c8-4xfm published
May 17, 2026 by mtrezzaHigh -
GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callersGHSA-8cph-rgr4-g5vj published
May 18, 2026 by mtrezzaModerate -
MFA SMS one-time password accepted twice under concurrent loginGHSA-jpq4-7fmq-q5fj published
Apr 26, 2026 by mtrezzaLow -
Endpoint `/sessions/me` bypasses `_Session` `protectedFields`GHSA-g4v2-qx3q-4p64 published
Apr 6, 2026 by mtrezzaModerate -
Streaming file download bypasses afterFind file trigger authorizationGHSA-hpm8-9qx6-jvwv published
Mar 30, 2026 by mtrezzaHigh -
Login timing side-channel reveals user existenceGHSA-mmpq-5hcv-hf2v published
Apr 5, 2026 by mtrezzaModerate