Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,134
Maven
5,000+
npm
5,000+
NuGet
1,013
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,419
Swift
61
Unreviewed advisories
All unreviewed
5,000+

101 advisories

Loading
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change Low
GHSA-97pr-9hgg-3p8r was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist Low
CVE-2026-55778 was published for parse-server (npm) Jun 19, 2026
mtrezza Credited to mtrezza
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL Moderate
CVE-2026-53726 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied Moderate
CVE-2026-53725 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist Low
CVE-2026-53724 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Server option routeAllowList is bypassable through batch sub-requests Moderate
CVE-2026-50008 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Denial of service via exponential-time processing of deeply nested query operators High
GHSA-cgxm-vr2f-6fj8 was published for parse-server (npm) Jun 19, 2026
sajdakabir Credited to sajdakabir and mtrezza mtrezza mtrezza
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers Moderate
CVE-2026-47248 was published for parse-server (npm) May 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server: Pre-authentication denial of service via client version header regex backtracking High
CVE-2026-47138 was published for parse-server (npm) May 23, 2026
shmulc8 Credited to shmulc8 and mtrezza mtrezza mtrezza
parse-server: MFA SMS one-time password accepted twice under concurrent login Low
CVE-2026-43930 was published for parse-server (npm) May 5, 2026
adrgs Credited to adrgs, aisafe-bot, and mtrezza aisafe-bot aisafe-bot
mtrezza mtrezza
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value Moderate
CVE-2026-34595 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
Parse Server has a session field immutability bypass via falsy-value guard Moderate
CVE-2026-34574 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has GraphQL complexity validator exponential fragment traversal DoS High
CVE-2026-34573 was published for parse-server (npm) Mar 31, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
LiveQuery protected field leak via shared mutable state across concurrent subscribers High
CVE-2026-34363 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database