Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Npm
Parse Server

npm parse-server Vulnerabilities: CVEs, CISA KEV & Security Advisories

106 CVEs

npm

npm parse-server Vulnerabilities

CVE security advisories and vulnerability history for parse-server by npm.

106

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

3

Public exploits

With known exploit

7.3

Avg CVSS

2019–2026

Last updated May 12, 2026

Overview

npm parse-server has 106 published CVE records since 2019, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 3 have a known public exploit. The average CVSS base score across scored CVEs is 7.3.

This page aggregates every publicly disclosed vulnerability (CVE) affecting npm parse-server, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of npm parse-server's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical16

High47

Medium36

Low5

2 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

0

None of npm parse-server's CVEs are currently listed in CISA's KEV catalog.

Public exploits

3

3 of npm parse-server's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every npm parse-server version named in a CVE, then pick one to see only the CVEs that affect it.

Fixed in

Find a version

106 CVEs

Sort

Parse Server: MFA SMS one-time password accepted twice under concurrent login
CVE-2026-43930
Patch
CWE-362
Low · CVSS 2.1
EPSS 0.0% (1th pct)2026-05-12
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
CVE-2026-39381
Patch
CWE-863
Medium · CVSS 5.3
EPSS 0.0% (9th pct)2026-04-07
Parse Server has a login timing side-channel reveals user existence
CVE-2026-39321
Patch
CWE-208
Medium · CVSS 6.3
EPSS 0.0% (9th pct)2026-04-07
Parse Server has a file upload Content-Type override via extension mismatch
CVE-2026-35200
Patch
CWE-436
Low · CVSS 2.1
EPSS 0.0% (10th pct)2026-04-06
Parse Server: Streaming file download bypasses afterFind file trigger authorization
CVE-2026-34784
Patch
CWE-285
High · CVSS 8.2
EPSS 0.0% (4th pct)2026-03-31
Parse Server: Auth data exposed via verify password endpoint
CVE-2026-34215
Patch
CWE-200
High · CVSS 8.2
EPSS 0.1% (22th pct)2026-03-31
Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
CVE-2026-34595
Patch
CWE-843
Medium · CVSS 5.3
EPSS 0.0% (11th pct)2026-03-31
Parse Server: Session field immutability bypass via falsy-value guard
CVE-2026-34574
Patch
CWE-697
Medium · CVSS 5.3
EPSS 0.0% (11th pct)2026-03-31
Parse Server: GraphQL complexity validator exponential fragment traversal DoS
CVE-2026-34573
Patch
CWE-407
High · CVSS 8.2
EPSS 0.0% (5th pct)2026-03-31
Parse Server: Cloud function validator bypass via prototype chain traversal
CVE-2026-34532
Patch
CWE-863
Critical · CVSS 9.1
EPSS 0.0% (13th pct)2026-03-31
Parse Server: GraphQL API endpoint ignores CORS origin restriction
CVE-2026-34373
Patch
CWE-346
Medium · CVSS 5.3
EPSS 0.0% (5th pct)2026-03-31
Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
CVE-2026-34363
Patch
CWE-362
High · CVSS 8.2
EPSS 0.0% (7th pct)2026-03-31
Parse Server: MFA single-use token bypass via concurrent authData login requests
CVE-2026-34224
Patch
CWE-367
Medium · CVSS 4.4
EPSS 0.0% (6th pct)2026-03-31
Parse Server: Auth data exposed via /users/me endpoint
CVE-2026-33627
Patch
CWE-200
High · CVSS 7.1
EPSS 0.0% (12th pct)2026-03-24
Parse Server: MFA recovery code single-use bypass via concurrent requests
CVE-2026-33624
Patch
CWE-367
Low · CVSS 2.1
EPSS 0.0% (10th pct)2026-03-24
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
CVE-2026-33539
Patch
CWE-89
High · CVSS 8.6
EPSS 0.0% (7th pct)2026-03-24
Parse Server: Denial of service via unindexed database query for unconfigured auth providers
CVE-2026-33538
Patch
CWE-400
High · CVSS 8.7
EPSS 0.1% (34th pct)2026-03-24
Parse Server: Session update endpoint allows overwriting server-generated session fields
CVE-2026-33527
Patch
CWE-863
Medium · CVSS 5.3
EPSS 0.0% (3th pct)2026-03-24
Parse Server: LiveQuery subscription query depth bypass
CVE-2026-33508
Patch
CWE-674
High · CVSS 8.2
EPSS 0.1% (21th pct)2026-03-24
Parse Server: Query condition depth bypass via pre-validation transform pipeline
CVE-2026-33498
Patch
CWE-674
High · CVSS 8.7
EPSS 0.0% (6th pct)2026-03-24
Parse Server: Protected field change detection oracle via LiveQuery watch parameter
CVE-2026-33429
Patch
CWE-203
Medium · CVSS 6.3
EPSS 0.0% (3th pct)2026-03-24
Parse Server: LiveQuery bypasses CLP pointer permission enforcement
CVE-2026-33421
Patch
CWE-863
High · CVSS 7.1
EPSS 0.0% (2th pct)2026-03-24
Parse Server: Auth provider validation bypass on login via partial authData
CVE-2026-33409
Patch
CWE-287
High · CVSS 7.0
EPSS 0.0% (8th pct)2026-03-24
Parse Server: Email verification resend page leaks user existence
CVE-2026-33323
Patch
CWE-204
Medium · CVSS 6.3
EPSS 0.1% (16th pct)2026-03-24
Parse Server leaks protected fields via LiveQuery afterEvent trigger
CVE-2026-33163
Patch
CWE-200
High · CVSS 8.2
EPSS 0.0% (12th pct)2026-03-18
Parse Server affected by empty authData bypassing credential requirement on signup
CVE-2026-33042
Patch
CWE-287
Medium · CVSS 6.9
EPSS 0.0% (2th pct)2026-03-18
Parse Server crash via deeply nested query condition operators
CVE-2026-32944
Patch
CWE-674
High · CVSS 8.7
EPSS 0.0% (6th pct)2026-03-18
Parse Server has a password reset token single-use bypass via concurrent requests
CVE-2026-32943
Patch
CWE-367
Low · CVSS 2.3
EPSS 0.0% (2th pct)2026-03-18
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
CVE-2026-32886
Patch
CWE-1321
High · CVSS 8.2
EPSS 0.0% (10th pct)2026-03-18
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
CVE-2026-32878
Patch
CWE-1321
Medium · CVSS 5.3
EPSS 0.0% (4th pct)2026-03-18

Showing 30 of 106

Common weakness types

The CWE weakness categories most often found in npm parse-server CVEs. Follow any weakness for its full explanation.

CWE-863Incorrect Authorization11 CVEs
CWE-287Improper Authentication10 CVEs
CWE-200Exposure of Sensitive Information to an Unauthorized Actor7 CVEs
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')6 CVEs
CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')6 CVEs
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')4 CVEs
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')4 CVEs
CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')3 CVEs

Disclosure activity by year

How many npm parse-server CVEs were published each year.

2019

2

2020

4

2021

3

2022

12

2023

5

2024

4

2025

6

2026

70

Other npm products

Browse vulnerabilities for other products by npm.

openclaw404 CVEs n8n62 CVEs directus53 CVEs electron48 CVEs flowise48 CVEs next47 CVEs vm232 CVEs hono29 CVEs

All npm vulnerabilities

Frequently asked questions

Common questions about npm parse-server vulnerabilities.

How many CVEs does npm parse-server have?

npm parse-server has 106 published CVE records since 2019.

How many npm parse-server CVEs are in CISA KEV?

None of npm parse-server's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for npm parse-server vulnerabilities?

Yes — 3 of npm parse-server's CVEs have a known public exploit.

Which versions of npm parse-server are affected?

199 distinct npm parse-server versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in npm parse-server CVEs?

npm parse-server's CVEs most often map to these CWE weakness types: CWE-863 (Incorrect Authorization), CWE-287 (Improper Authentication), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')).

How many critical npm parse-server vulnerabilities are there?

npm parse-server has 16 critical and 47 high-severity CVEs.

What is the average severity of npm parse-server CVEs?

The average CVSS base score across npm parse-server's scored CVEs is 7.3.

References

All npm vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track npm parse-server vulnerabilities

Monitor new npm parse-server vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References