CVE-2026-33539

EPSS 0.45%
Veröffentlicht 24.03.2026 18:26:56
Zuletzt bearbeitet 25.03.2026 21:18:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 54 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.59

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.6.0

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha12 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha13 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha14 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha15 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha16 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha17 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha18 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha19 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha20 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha21 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha22 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha23 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha24 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha25 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha26 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha27 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha28 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha29 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha30 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha31 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha32 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha33 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha34 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha35 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha36 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha37 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha38 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha39 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha40 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha41 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha42 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha43 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha44 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha45 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha46 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha47 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha48 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha49 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha50 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha51 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha52 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.358

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10272

Issue Tracking

https://github.com/parse-community/parse-server/pull/10273

Issue Tracking

https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c

Patch

https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33539

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33539

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33539

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33539