8.8

CVE-2026-34373

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ParseplatformParse-server SwPlatformnode.js Version >= 3.5.0 < 8.6.66
ParseplatformParse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0
ParseplatformParse-server Version9.7.0 Updatealpha1 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha2 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha3 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha4 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha5 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha6 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha7 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha8 SwPlatformnode.js
ParseplatformParse-server Version9.7.0 Updatealpha9 SwPlatformnode.js
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.041
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.