parse

parse is vulnerable to prototype pollution

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function

Parse Server's MFA recovery codes not consumed after use

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

parse-server's session object properties can be updated by foreign user if object ID is known

Remote code execution via MongoDB BSON parser through prototype pollution

Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Prototype Pollution in ini-parser

Malicious code in bfruitmaliciousxmlparser (npm)

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Information disclosure in parse-server

Follow Redirects improperly handles URLs in the url.parse() function

Parse Server exposes the data schema via GraphQL API

url-parse Incorrectly parses URLs that include an '@'

Parse Server has a protected fields bypass via logical query operators

fast-xml-parser vulnerable to ReDOS at currency parsing

fast-xml-parser has RangeError DoS Numeric Entities Bug

Parse Server has a bypass of class-level permissions in LiveQuery

Server-Side Request Forgery in parse-url

OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Path traversal in url-parse

Parse Server crash via deeply nested query condition operators

parse-ini is vulnerable to Prototype Pollution in index.js()

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Malicious code in azure-dtdl-parser-samples-js-beta (npm)

Malicious code in parseq-tracevis (npm)

body-parser vulnerable to denial of service when url encoding is enabled

Parse Server's custom object ID allows to acquire role privileges

Parse Server vulnerable to user enumeration via email verification endpoint

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Resource exhaustion in socket.io-parser

Downloads Resources over HTTP in apk-parser3

Malicious code in bigid-filter-recursive-parser (npm)

Prototype Pollution in JSON5 via Parse Method

Open redirect in url-parse

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Parse Server LiveQuery subscription with invalid regular expression crashes server

html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS)

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Regular Expression Denial of Service in csv-parse

Parse Server session creation endpoint allows overwriting server-generated session fields

AWS Lambda parser is vulnerable to Regular Expression Denial of Service

Parse Server has role escalation and CLP bypass via direct `_Join` table write

Cross site scripting in parse-url

parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

apk-parser2 downloads Resources over HTTP

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Uncontrolled Resource Consumption in parse-link-header

Malicious code in @peter_wilson12091/internal-json-test-parser (npm)

Command Injection in hot-formula-parser

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Regular Expression Denial of Service in ua-parser-js

Malicious code in json-specparse (npm)

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read

Parse Server LiveQuery subscription query depth bypass

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Malicious code in hermes-parser-packages (npm)

Malicious code in uri-parse (npm)

Regular Expression Denial of Service (ReDoS) in ua-parser-js

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Malicious code in eziparser (npm)

Parse Server: MFA recovery code single-use bypass via concurrent requests

Duplicate Advisory: Embedded malware in ua-parser-js

Malicious code in safe-json-parsex (npm)

Malicious code in string-parser-utils (npm)

OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

Parse Server has an OAuth login vulnerability

Parse Server before v3.4.1 vulnerable to Denial of Service

devalue affected by CPU and memory amplification from sparse arrays

devalue has prototype pollution in devalue.parse and devalue.unflatten

Malicious code in cooieparser (npm)

Parse Server has an auth provider validation bypass on login via partial authData

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Malicious code in flow-parser-oxidized (npm)

Parse Server missing audience validation in Keycloak authentication adapter

Regular expression Denial of Service in @progfay/scrapbox-parser

Improper Validation and Sanitization in url-parse

Parse Server stores password in plain text

Malicious code in minimum-flow-parser (npm)

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

crud-query-parser SQL Injection vulnerability

Authorization Bypass in parse-path

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Invalid push request payload crashes Parse Server

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Command injection in Parse Server through prototype pollution

fast-xml-parser vulnerable to Regex Injection via Doctype Entities

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Parse Server may crash when uploading file without extension

Malicious code in hubl-parser (npm)

Parse Dashboard is Missing Authorization for its Agent Endpoint

Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Parse Dashboard has incomplete authentication on AI Agent endpoint

parse-server auth adapter app ID validation can be circumvented

Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Downloads Resources over HTTP in tomita-parser

Parse Server has a SQL injection via query field name when using PostgreSQL

deep-parse-json vulnerable to Prototype Pollution

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Malicious code in x-session-parser (npm)

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Cross-site Scripting in curly-bracket-parser

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Regular Expression Denial of Service in path-parse

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Zod jsVideoUrlParser vulnerable to ReDoS in util.js

Malicious code in cursorparserfruit (npm)

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Sensitive Data Exposure in parse-server

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Malicious code in viktorparserctf4 (npm)

Malicious code in viktorparserctf7 (npm)

parse-server: Malformed `$regex` query leaks database error details in API response

http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed

Malicious code in tna_xmlparser (npm)

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Authorization Bypass Through User-Controlled Key in url-parse

Malicious code in parse-session (npm)

Malicious code in @asyncapi/avro-schema-parser (npm)

Crash in HeaderParser in dicer

Malicious code in vite-plugin-parseflow (npm)

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Malicious code in @voiceflow/body-parser (npm)

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Malicious code in web3-parser (npm)

Downloads Resources over HTTP in apk-parser

Malicious code in @f5rest/odata-v4-parser (npm)

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Regular Expression Denial of Service in parsejson

parse-server: MFA SMS one-time password accepted twice under concurrent login

yargs-parser Vulnerable to Prototype Pollution

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Parse Server has a login timing side-channel reveals user existence

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Malicious code in moscova-plural-json-parser (npm)

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Malicious code in superbankxmlparser (npm)

Parse Server: SQL injection via dot-notation field name in PostgreSQL

Malicious code in http-parse (npm)

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Prototype Pollution in iniparserjs

Parse Server has a password reset token single-use bypass via concurrent requests

Svelte devalue: DoS via sparse array deserialization

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

Malicious code in afruitmaliciousxmlparser (npm)

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

binary-parser library has a code injection vulnerability

Malicious code in url-parser-native (npm)

body-parser is vulnerable to denial of service when url encoding is used

Parse Server exposes auth data via /users/me endpoint

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Embedded malware in ua-parser-js

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Open Redirect in url-parse

Parse Server leaks protected fields via LiveQuery afterEvent trigger

Malicious code in style-value-parser (npm)

body-parser-xml vulnerable to Prototype Pollution

OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Malicious code in session-parse (npm)

Malicious code in discord-json-parser (npm)

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Malicious code in @antstackio/graphql-body-parser (npm)

Malicious code in ok-message-parser (npm)

OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)

json-schema-ref-parser Prototype Pollution issue

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Parse Server email verification resend page leaks user existence

Malicious code in react-adparser (npm)

Malicious code in viktorparserctf5 (npm)

Malicious code in viktorparserctf6 (npm)

Malicious code in redis-cookie-parser (npm)

Malicious code in redis-request-parser (npm)

Malicious code in dtdl-parser (npm)

Parse Server: Account takeover via operator injection in authentication data identifier

Cross site scripting in parse-url

Malicious code in hfruitmaliciousxmlparser (npm)

Malicious code in smart-parser (npm)

ua-parser-js Regular Expression Denial of Service vulnerability

Hostname confusion in parse-url

Malicious code in grgtgparse (npm)

Authorization bypass in url-parse

ejson shell parser in MongoDB Compass maybe bypassed

Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

LiveQuery publishes user session tokens in parse-server

cookiejar Regular Expression Denial of Service via Cookie.parse function

Malicious code in @asyncapi/protobuf-schema-parser (npm)

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls

Malicious code in @asyncapi/multi-parser (npm)

Malicious code in otetoparserlparser (npm)

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Malicious code in cfruitmaliciousxmlparser (npm)

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Malicious code in js-cookie-parser (npm)

ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`

Malicious code in efruitmaliciousxmlparser (npm)

Malicious code in ffruitmaliciousxmlparser (npm)

Malicious code in gfruitmaliciousxmlparser (npm)

Malicious code in viktorparserctf (npm)

Malicious code in viktorparserctf3 (npm)

Malicious code in postcsssafeparsear (npm)

Malicious code in ppppparserfruit (npm)

Malicious code in viktor-xml-parser (npm)

Malicious code in body-parser-js (npm)

Malicious code in vite-plugin-parse (npm)

Malicious code in nginx-data-transfer-parser (npm)

Malicious code in url-w.parse (npm)

Malicious code in cookie-parser-legacy (npm)

Command injection in git-parse

UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`

Malicious code in htlparsevr2 (npm)

Malicious code in elliptic-parser (npm)

Malicious code in ticket-parser2 (npm)

Malicious code in ticket-parser2-py3 (npm)

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Malicious code in turbo-json-parser (npm)

@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass

Malicious code in @asyncapi/openapi-schema-parser (npm)

Malicious code in n8n-nodes-csv-parse (npm)

parse-server new anonymous user session acts as if it's created with password

flatted vulnerable to unbounded recursion DoS in parse() revive phase

ReDoS via long UserAgent header in ua-parser

Parse Server affected by empty authData bypassing credential requirement on signup

Malicious code in boby_parser (npm)

Malicious code in loger-parser (npm)

Malicious code in @postman/csv-parse (npm)

Malicious code in katt-blueprint-parser (npm)

Malicious code in fruit-malicious-xml-parser (npm)

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Regular Expression Denial of Service in papaparse

Malicious code in bridge-transaction-parser-hop400 (npm)

Malicious code in dfruitmaliciousxmlparser (npm)

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Malicious code in cors-parser (npm)

Prototype Pollution via parse() in NodeJS flatted

music-metadata has an infinite loop vulnerability in ASF parser

Malicious code in koabodparser (npm)

Malicious code in glog-parser (npm)

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

Parse Server has a rate limit bypass via batch request endpoint

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Malicious code in eslint-parser-vue (npm)

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Malicious code in fk-ua-parser (npm)

Malicious code in supxmlparser (npm)

Malicious code in @mparpaillon/connector-parse (npm)

Parse Server crashes with query parameter

query-parser-string is vulnerable to Prototype Pollution

Downloads Resources over HTTP in fis-parser-sass-bin

Malicious code in @shopify.com/shopifyql-parser (npm)

@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Malicious code in vite-plugin-parse-js (npm)

Parse Server has a session field immutability bypass via falsy-value guard

Malicious code in viktorparserctf8 (npm)

Malicious code in remark-parse10 (npm)

Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance

Malicious code in viktorparserctf9 (npm)

Malicious code in https-parse (npm)

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Malicious code in datetime-moment-parser (npm)

Parse Server has an MFA single-use token bypass via concurrent authData login requests

parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

Malicious code in ctfparsertna (npm)

Malicious code in viktorparserctf2 (npm)

Malicious code in toskasldfjaldf-parser (npm)

Malicious code in parsejson-pro (npm)

Malicious code in jsonify-parser (npm)

Malicious code in byte-parser (npm)

Malicious code in shopifyql-parser (npm)

Malicious code in parse-escape-regex-string (npm)

Malicious code in parse-regex-string (npm)

Malicious code in @lint-md/parser (npm)

Parse Server: File upload Content-Type override via extension mismatch

Malicious code in chai-parse (npm)

Malicious code in json-parse-genie (npm)

Malicious code in parse-compat (npm)

Parse Server has a protected fields bypass via dot-notation in query and sort

Malicious code in tnaparserxml (npm)

Malicious code in tnaxmlparserctf (npm)

Malicious code in cookie-parsers-env (npm)

mailparser vulnerable to Cross-site Scripting

Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow

Malicious code in @puresec/addressparser-malicious (npm)

Parse Server: Pre-authentication denial of service via client version header regex backtracking

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Malicious code in swift-parse-stream (npm)

Parser Server's streaming file download bypasses afterFind file trigger authorization

Malicious code in bridge-transaction-parser (npm)

Malicious code in postcss-minify-selector-parser (npm)

pnpm incorrectly parses tar archives relative to specification

parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied

parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change

parse-server: Denial of service via exponential-time processing of deeply nested query operators

parse-server crashes when receiving file download request with invalid byte range

parse-server: Server option routeAllowList is bypassable through batch sub-requests

parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

parse-server has cloud function validator bypass via prototype chain traversal

parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server exposes auth data via verify password endpoint

Malicious code in custom-query-parse-serialization (npm)

Malicious code in @asyncapi/parser (npm)

Malicious code in @chunklab/hexparse (npm)