9.8
CVE-2026-32248
- EPSS 0.07%
- Veröffentlicht 12.03.2026 19:14:47
- Zuletzt bearbeitet 13.03.2026 19:00:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.38
Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.6.0
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha10 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha11 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha2 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha3 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha4 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha5 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha6 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha7 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha8 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.6.0 Updatealpha9 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.07% | 0.203 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-943 Improper Neutralization of Special Elements in Data Query Logic
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.