GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
101 advisories
Filter by severity
Parse Server has a protected fields bypass via dot-notation in query and sort
High
CVE-2026-31872
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
Moderate
CVE-2026-31868
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
Moderate
CVE-2026-31828
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
High
CVE-2026-31800
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a rate limit bypass via batch request endpoint
Moderate
CVE-2026-30972
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
High
CVE-2026-30967
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Critical
CVE-2026-30965
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a protected fields bypass via logical query operators
High
CVE-2026-30962
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server missing audience validation in Keycloak authentication adapter
High
CVE-2026-30949
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
High
CVE-2026-30948
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a bypass of class-level permissions in LiveQuery
High
CVE-2026-30947
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
High
CVE-2026-30946
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
High
CVE-2026-30941
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
High
CVE-2026-30939
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Moderate
CVE-2026-30938
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
High
CVE-2026-30925
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Critical
CVE-2026-30863
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Moderate
CVE-2026-30854
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Moderate
CVE-2026-30848
was published
for
parse-server
(npm)
Mar 9, 2026
parse-server: Malformed `$regex` query leaks database error details in API response
Moderate
CVE-2026-30835
was published
for
parse-server
(npm)
Mar 6, 2026
ProTip!
Advisories are also available from the
GraphQL API