Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
57
GitHub Actions
50
Go
3,767
Maven
5,000+
npm
5,000+
NuGet
937
pip
4,999
Pub
13
RubyGems
1,058
Rust
1,347
Swift
54
Unreviewed advisories
All unreviewed
5,000+

92 advisories

Loading
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter Critical
CVE-2026-30965 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via logical query operators High
CVE-2026-30962 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload High
CVE-2026-30948 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a bypass of class-level permissions in LiveQuery High
CVE-2026-30947 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints High
CVE-2026-30941 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server: SQL injection via dot-notation field name in PostgreSQL Critical
CVE-2026-31840 was published for parse-server (npm) Mar 10, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution High
CVE-2026-30939 was published for parse-server (npm) Mar 10, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement Moderate
CVE-2026-30938 was published for parse-server (npm) Mar 10, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery High
CVE-2026-30925 was published for parse-server (npm) Mar 10, 2026
TinkAnet Credited to TinkAnet and mtrezza mtrezza mtrezza
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled Moderate
CVE-2026-30854 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization Moderate
CVE-2026-30850 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory Moderate
CVE-2026-30848 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
parse-server: Malformed `$regex` query leaks database error details in API response Moderate
CVE-2026-30835 was published for parse-server (npm) Mar 6, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user High
CVE-2026-30229 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction Moderate
CVE-2026-30228 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction High
CVE-2026-29182 was published for parse-server (npm) Mar 5, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions High
CVE-2026-27610 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza and ByamB4 ByamB4 ByamB4
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 Credited to ByamB4 and mtrezza mtrezza mtrezza
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter High
CVE-2025-68150 was published for parse-server (npm) Dec 16, 2025
yueyueL Credited to yueyueL, mtrezza, and rhdesmond mtrezza mtrezza
rhdesmond rhdesmond
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database