Security: parse-community/parse-server
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
GraphQL WebSocket endpoint bypasses security middlewareGHSA-p2x3-8689-cwpg published
Mar 13, 2026 by mtrezzaModerate -
Cloud function dispatch crashes server via prototype chain traversalGHSA-4263-jgmp-7pf4 published
Mar 16, 2026 by mtrezzaHigh -
OAuth2 adapter shares mutable state across providers via singleton instanceGHSA-2cjm-2gwv-m892 published
Mar 11, 2026 by mtrezzaCritical -
OAuth2 adapter app ID validation sends wrong token to introspection endpointGHSA-69xg-f649-w5g2 published
Mar 12, 2026 by mtrezzaModerate -
Protected fields leak via LiveQuery afterEvent triggerGHSA-5hmj-jcgp-6hff published
Mar 17, 2026 by mtrezzaHigh -
Account takeover via operator injection in authentication data identifierGHSA-5fw2-8jcv-xh87 published
Mar 11, 2026 by mtrezzaCritical -
Session creation endpoint allows overwriting server-generated session fieldsGHSA-5v7g-9h8f-8pgg published
Mar 16, 2026 by mtrezzaModerate -
Schema poisoning via prototype pollution in deep copyGHSA-9ccr-fpp6-78qf published
Mar 16, 2026 by mtrezzaModerate -
Protected fields bypass via LiveQuery subscription WHERE clauseGHSA-j7mm-f4rv-6q6q published
Mar 10, 2026 by mtrezzaModerate -
SQL injection via query field name when using PostgreSQLGHSA-c442-97qw-j6c6 published
Mar 11, 2026 by mtrezzaModerate