Security: parse-community/parse-server
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
GraphQL error messages disclose pointer and relation target class names when public introspection is disabledGHSA-r2g6-4f6j-f6rf published
Jul 10, 2026 by mtrezzaModerate -
GraphQL error messages disclose required input field names when public introspection is disabledGHSA-2fgh-8j2g-w354 published
Jul 10, 2026 by mtrezzaModerate -
Stored XSS via malformed Content-Type bypassing file upload extension blocklistGHSA-r899-h629-j84r published
Jun 25, 2026 by mtrezzaLow -
LiveQuery discloses object data to a subscriber across an ACL read-access changeGHSA-97pr-9hgg-3p8r published
Jun 19, 2026 by mtrezzaLow -
Denial of service via exponential-time processing of deeply nested query operatorsGHSA-cgxm-vr2f-6fj8 published
Jun 17, 2026 by mtrezzaHigh -
Stored XSS via non-standard file extension bypassing file upload extension blocklistGHSA-v8x7-r927-cc93 published
Jun 16, 2026 by mtrezzaLow -
GraphQL variable-coercion suggestions disclose schema to unauthenticated callersGHSA-9g8f-h8f3-hjcm published
Jul 8, 2026 by mtrezzaModerate -
Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is deniedGHSA-75v4-m273-5j49 published
Jun 3, 2026 by mtrezzaModerate -
Stored XSS via trailing-dot filename bypassing file upload extension blocklistGHSA-7wqv-xjf3-x35v published
Jun 1, 2026 by mtrezzaLow -
Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACLGHSA-wmwx-jr2p-4j4r published
Jun 4, 2026 by mtrezzaModerate