OsVault/npm/parse
npm13 critical

parse

302 known vulnerabilities · 13 critical · 43 high

CVE-2025-57324

parse is vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2025-62374

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Published Oct 14, 2025
CVE-2021-23328MEDIUM

Prototype Pollution in iniparserjs

Published Apr 13, 2021
CVE-2022-39225MEDIUM

parse-server's session object properties can be updated by foreign user if object ID is known

Published Sep 21, 2022
CVE-2022-39396CRITICAL

Remote code execution via MongoDB BSON parser through prototype pollution

Published Nov 8, 2022
CVE-2022-41878HIGH

Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Published Nov 9, 2022
CVE-2022-36079HIGH

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Published Sep 16, 2022
CVE-2020-7617MEDIUM

Prototype Pollution in ini-parser

Published Jun 10, 2020
GHSA-2w79-r9g8-wmcr

OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)

Published Apr 3, 2026
MAL-2025-192545

Malicious code in bfruitmaliciousxmlparser (npm)

Published Dec 12, 2025
GHSA-8g29-8xwr-qmhr

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Published Mar 25, 2026
CVE-2026-27609

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Published Feb 25, 2026
CVE-2016-10564HIGH

Downloads Resources over HTTP in apk-parser

Published Sep 1, 2020
CVE-2020-5251HIGH

Information disclosure in parse-server

Published Mar 4, 2020
CVE-2026-33409

Parse Server has an auth provider validation bypass on login via partial authData

Published Mar 19, 2026
GHSA-mwv9-gp5h-frr4

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

Published Mar 12, 2026
CVE-2023-26159HIGH

Follow Redirects improperly handles URLs in the url.parse() function

Published Jan 2, 2024
CVE-2025-53364

Parse Server exposes the data schema via GraphQL API

Published Jul 10, 2025
CVE-2022-0639MEDIUM

url-parse Incorrectly parses URLs that include an '@'

Published Feb 18, 2022
CVE-2026-25128

fast-xml-parser has RangeError DoS Numeric Entities Bug

Published Jan 30, 2026
CVE-2026-30962

Parse Server has a protected fields bypass via logical query operators

Published Mar 11, 2026
CVE-2024-41818HIGH

fast-xml-parser vulnerable to ReDOS at currency parsing

Published Jul 29, 2024
CVE-2026-30947

Parse Server has a bypass of class-level permissions in LiveQuery

Published Mar 11, 2026
MAL-2026-1368

Malicious code in json-specparse (npm)

Published Mar 12, 2026
CVE-2026-24001

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

Published Jan 14, 2026
CVE-2022-2216CRITICAL

Server-Side Request Forgery in parse-url

Published Jun 28, 2022
CVE-2026-3455

mailparser vulnerable to Cross-site Scripting

Published Mar 3, 2026
CVE-2026-32053

OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Published Mar 3, 2026
CVE-2021-27515MEDIUM

Path traversal in url-parse

Published May 6, 2021
CVE-2026-32944

Parse Server crash via deeply nested query condition operators

Published Mar 17, 2026
CVE-2026-30229

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Published Mar 6, 2026
MAL-2025-123

Malicious code in parseq-tracevis (npm)

Published Jan 13, 2025
CVE-2026-32234

Parse Server has a SQL injection via query field name when using PostgreSQL

Published Mar 12, 2026
CVE-2024-45590HIGH

body-parser vulnerable to denial of service when url encoding is enabled

Published Sep 10, 2024
CVE-2026-35410MEDIUM
Risk: 36.49/100

Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow

Published Apr 4, 2026
CVE-2024-47183

Parse Server's custom object ID allows to acquire role privileges

Published Oct 4, 2024
CVE-2026-31901

Parse Server vulnerable to user enumeration via email verification endpoint

Published Mar 11, 2026
CVE-2026-30854

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Published Mar 9, 2026
CVE-2023-46119HIGH

Parse Server may crash when uploading file without extension

Published Oct 24, 2023
CVE-2026-33421

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Published Mar 20, 2026
CVE-2023-26920MEDIUM

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Published Jun 13, 2023
CVE-2025-25285

@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Feb 14, 2025
CVE-2026-31875

Parse Server's MFA recovery codes not consumed after use

Published Mar 11, 2026
CVE-2020-36049HIGH

Resource exhaustion in socket.io-parser

Published Jun 30, 2021
CVE-2016-10574HIGH

Downloads Resources over HTTP in apk-parser3

Published Sep 1, 2020
MAL-2022-1569

Malicious code in bigid-filter-recursive-parser (npm)

Published Jun 20, 2022
CVE-2022-46175HIGH

Prototype Pollution in JSON5 via Parse Method

Published Dec 29, 2022
CVE-2026-1528

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Published Mar 13, 2026
CVE-2021-3664MEDIUM

Open redirect in url-parse

Published Aug 10, 2021
CVE-2025-69874

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Published Feb 11, 2026
CVE-2026-32770

Parse Server LiveQuery subscription with invalid regular expression crashes server

Published Mar 17, 2026
CVE-2016-10660HIGH

Downloads Resources over HTTP in fis-parser-sass-bin

Published Feb 18, 2019
CVE-2021-23346MEDIUM

html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS)

Published Mar 18, 2021
CVE-2026-33349

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Published Mar 19, 2026
CVE-2019-17592HIGH

Regular Expression Denial of Service in csv-parse

Published Oct 15, 2019
CVE-2026-27942

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Published Feb 26, 2026
CVE-2026-30925

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Published Mar 10, 2026
CVE-2026-32742

Parse Server session creation endpoint allows overwriting server-generated session fields

Published Mar 17, 2026
CVE-2018-7560HIGH

AWS Lambda parser is vulnerable to Regular Expression Denial of Service

Published Mar 5, 2018
CVE-2026-30966

Parse Server has role escalation and CLP bypass via direct `_Join` table write

Published Mar 11, 2026
CVE-2022-2217MEDIUM

Cross site scripting in parse-url

Published Jun 28, 2022
CVE-2022-3224MEDIUM

parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

Published Sep 16, 2022
CVE-2026-30939

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Published Mar 10, 2026
CVE-2026-32594

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

Published Mar 13, 2026
CVE-2025-62381

`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Published Oct 15, 2025
CVE-2026-30850

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Published Mar 9, 2026
CVE-2016-10632HIGH

apk-parser2 downloads Resources over HTTP

Published Sep 18, 2018
CVE-2026-31856

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Published Mar 11, 2026
CVE-2022-2900CRITICAL

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Published Sep 15, 2022
GHSA-3r78-rqg8-95gg

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Published Mar 21, 2026
CVE-2026-32269

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Published Mar 13, 2026
CVE-2026-27610

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Published Feb 25, 2026
CVE-2021-23490HIGH

Uncontrolled Resource Consumption in parse-link-header

Published Jan 6, 2022
MAL-2025-192964

Malicious code in @peter_wilson12091/internal-json-test-parser (npm)

Published Dec 30, 2025
CVE-2020-28462HIGH

ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`

Published Jul 26, 2022
CVE-2018-3774CRITICAL

Open Redirect in url-parse

Published Aug 13, 2018
CVE-2020-6836CRITICAL

Command Injection in hot-formula-parser

Published May 6, 2020
CVE-2026-32878

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Published Mar 17, 2026
CVE-2020-7733HIGH

Regular Expression Denial of Service in ua-parser-js

Published May 7, 2021
CVE-2024-27298CRITICAL

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Published Mar 1, 2024
CVE-2026-30941

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Published Mar 11, 2026
GHSA-v273-448j-v4qj

LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read

Published Apr 8, 2026
CVE-2026-33508

Parse Server LiveQuery subscription query depth bypass

Published Mar 20, 2026
CVE-2026-30965

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Published Mar 11, 2026
MAL-2022-3615

Malicious code in hermes-parser-packages (npm)

Published Jun 20, 2022
CVE-2023-34104HIGH

fast-xml-parser vulnerable to Regex Injection via Doctype Entities

Published Jun 6, 2023
CVE-2021-27292HIGH

Regular Expression Denial of Service (ReDoS) in ua-parser-js

Published May 6, 2021
CVE-2026-34211HIGH
Risk: 50.42/100

SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Published Apr 3, 2026
CVE-2026-31828

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Published Mar 11, 2026
MAL-2022-2951

Malicious code in eziparser (npm)

Published Aug 19, 2022
CVE-2026-33042

Parse Server affected by empty authData bypassing credential requirement on signup

Published Mar 17, 2026
CVE-2026-33624

Parse Server: MFA recovery code single-use bypass via concurrent requests

Published Mar 24, 2026
GHSA-236c-vhj4-gfxg

Duplicate Advisory: Embedded malware in ua-parser-js

Published May 25, 2022
CVE-2019-1020012HIGH

Parse Server before v3.4.1 vulnerable to Denial of Service

Published Jun 13, 2019
CVE-2026-32029

OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

Published Mar 3, 2026
CVE-2025-30168

Parse Server has an OAuth login vulnerability

Published Mar 21, 2025
GHSA-33hq-fvwr-56pm

devalue affected by CPU and memory amplification from sparse arrays

Published Feb 19, 2026
CVE-2026-30226

devalue has prototype pollution in devalue.parse and devalue.unflatten

Published Mar 12, 2026
CVE-2026-33036

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Published Mar 17, 2026
MAL-2022-2177

Malicious code in cooieparser (npm)

Published Aug 19, 2022
GHSA-8f9r-gr6r-x63q

Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Published Apr 10, 2026
CVE-2025-68150

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Published Dec 16, 2025
CVE-2026-32728

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Published Mar 16, 2026
CVE-2023-36475CRITICAL

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Published Jun 30, 2023
CVE-2026-30949

Parse Server missing audience validation in Keycloak authentication adapter

Published Mar 11, 2026
CVE-2021-27405HIGH

Regular expression Denial of Service in @progfay/scrapbox-parser

Published Mar 1, 2021
CVE-2026-33498

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Published Mar 20, 2026
CVE-2020-8124MEDIUM

Improper Validation and Sanitization in url-parse

Published Jan 6, 2022
CVE-2020-26288HIGH

Parse Server stores password in plain text

Published Dec 28, 2020
MAL-2022-4603

Malicious code in minimum-flow-parser (npm)

Published Jun 20, 2022
CVE-2024-39309CRITICAL

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Published Jul 1, 2024
CVE-2022-0691CRITICAL

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Published Feb 22, 2022
CVE-2025-32020

crud-query-parser SQL Injection vulnerability

Published Apr 9, 2025
CVE-2022-0624HIGH

Authorization Bypass in parse-path

Published Jun 29, 2022
CVE-2026-25896

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Published Feb 20, 2026
CVE-2026-30946

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Published Mar 11, 2026
GHSA-g4v2-qx3q-4p64

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Published Apr 8, 2026
CVE-2023-32688MEDIUM

Invalid push request payload crashes Parse Server

Published May 22, 2023
GHSA-p464-m8x6-vhv8

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Published Apr 3, 2026
CVE-2022-24760CRITICAL

Command injection in Parse Server through prototype pollution

Published Mar 11, 2022
CVE-2025-64430

Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Published Nov 5, 2025
MAL-2024-3

Malicious code in hubl-parser (npm)

Published Jan 1, 2024
MAL-2025-1104

Malicious code in custom-query-parse-serialization (npm)

Published Feb 3, 2025
CVE-2026-27608

Parse Dashboard is Missing Authorization for its Agent Endpoint

Published Feb 25, 2026
CVE-2026-27595

Parse Dashboard has incomplete authentication on AI Agent endpoint

Published Feb 25, 2026
CVE-2022-39231LOW

parse-server auth adapter app ID validation can be circumvented

Published Sep 21, 2022
CVE-2026-30967

Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Published Mar 11, 2026
CVE-2016-10666HIGH

Downloads Resources over HTTP in tomita-parser

Published Feb 18, 2019
CVE-2022-42743MEDIUM

deep-parse-json vulnerable to Prototype Pollution

Published Nov 4, 2022
CVE-2026-31800

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Published Mar 11, 2026
MAL-2025-47023

Malicious code in x-session-parser (npm)

Published Sep 10, 2025
MAL-2025-143

Malicious code in bridge-transaction-parser (npm)

Published Jan 20, 2025
CVE-2021-23416MEDIUM

Cross-site Scripting in curly-bracket-parser

Published Aug 10, 2021
CVE-2021-23343MEDIUM

Regular Expression Denial of Service in path-parse

Published Aug 10, 2021
CVE-2026-30848

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Published Mar 9, 2026
GHSA-8fgx-wgvr-pcx8

Zod jsVideoUrlParser vulnerable to ReDoS in util.js

Published Apr 10, 2026
CVE-2026-33538

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Published Mar 24, 2026
MAL-2025-192625

Malicious code in cursorparserfruit (npm)

Published Dec 19, 2025
CVE-2026-30948

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Published Mar 11, 2026
CVE-2019-1020013MEDIUM

Sensitive Data Exposure in parse-server

Published Jul 11, 2019
CVE-2022-41879HIGH

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Published Nov 10, 2022
MAL-2025-192650

Malicious code in viktorparserctf4 (npm)

Published Dec 19, 2025
MAL-2025-192653

Malicious code in viktorparserctf7 (npm)

Published Dec 19, 2025
CVE-2026-30835

parse-server: Malformed `$regex` query leaks database error details in API response

Published Mar 6, 2026
CVE-2025-32997

http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed

Published Apr 15, 2025
MAL-2025-192371

Malicious code in tna_xmlparser (npm)

Published Dec 7, 2025
CVE-2026-33539

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Published Mar 24, 2026
CVE-2022-0686CRITICAL

Authorization Bypass Through User-Controlled Key in url-parse

Published Feb 21, 2022
MAL-2025-190630

Malicious code in parse-session (npm)

Published Nov 24, 2025
MAL-2025-190635

Malicious code in @asyncapi/avro-schema-parser (npm)

Published Nov 24, 2025
CVE-2022-24434HIGH

Crash in HeaderParser in dicer

Published May 21, 2022
MAL-2025-48426

Malicious code in vite-plugin-parseflow (npm)

Published Oct 15, 2025
CVE-2025-68115

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Published Dec 16, 2025
MAL-2025-191336

Malicious code in @voiceflow/body-parser (npm)

Published Nov 25, 2025
MAL-2025-582

Malicious code in web3-parser (npm)

Published Jan 24, 2025
GHSA-mmpq-5hcv-hf2v

Parse Server has a login timing side-channel reveals user existence

Published Apr 8, 2026
CVE-2026-22775

devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse

Published Jan 15, 2026
MAL-2026-1621

Malicious code in @f5rest/odata-v4-parser (npm)

Published Mar 18, 2026
CVE-2026-31871

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Published Mar 11, 2026
CVE-2022-39313HIGH

parse-server crashes when receiving file download request with invalid byte range

Published Oct 18, 2022
CVE-2017-16113HIGH

Regular Expression Denial of Service in parsejson

Published Jul 24, 2018
CVE-2026-32098

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Published Mar 12, 2026
MAL-2026-2676

Malicious code in moscova-plural-json-parser (npm)

Published Apr 15, 2026
CVE-2026-33527

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Published Mar 24, 2026
CVE-2026-30938

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Published Mar 10, 2026
CVE-2026-33429

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Published Mar 20, 2026
MAL-2025-49441

Malicious code in superbankxmlparser (npm)

Published Nov 9, 2025
CVE-2026-31840

Parse Server: SQL injection via dot-notation field name in PostgreSQL

Published Mar 10, 2026
CVE-2021-4229MEDIUM

Embedded malware in ua-parser-js

Published Oct 22, 2021
MAL-2025-4597

Malicious code in http-parse (npm)

Published May 30, 2025
CVE-2020-7788HIGH

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Published Dec 10, 2020
CVE-2020-36649LOW

Regular Expression Denial of Service in papaparse

Published Sep 4, 2020
CVE-2026-1245

binary-parser library has a code injection vulnerability

Published Jan 20, 2026
CVE-2023-22474HIGH

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Published Jan 31, 2023
CVE-2026-32943

Parse Server has a password reset token single-use bypass via concurrent requests

Published Mar 17, 2026
CVE-2026-31868

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Published Mar 11, 2026
CVE-2020-7608MEDIUM

yargs-parser Vulnerable to Prototype Pollution

Published Sep 4, 2020
CVE-2020-28461HIGH

js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

Published Jul 26, 2022
CVE-2026-32256

music-metadata has an infinite loop vulnerability in ASF parser

Published Mar 17, 2026
GHSA-v8w9-8mx6-g223

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Published Mar 11, 2026
MAL-2025-192544

Malicious code in afruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2022-6822

Malicious code in url-parser-native (npm)

Published Jun 20, 2022
CVE-2026-34215MEDIUM
Risk: 32.51/100

Parse Server exposes auth data via verify password endpoint

Published Mar 29, 2026
CVE-2025-13466

body-parser is vulnerable to denial of service when url encoding is used

Published Nov 25, 2025
CVE-2026-33627

Parse Server exposes auth data via /users/me endpoint

Published Mar 24, 2026
CVE-2026-27804

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Published Feb 25, 2026
CVE-2026-30863

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Published Mar 9, 2026
GHSA-xffm-g5w8-qvg7

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Published Jul 18, 2025
CVE-2026-33163

Parse Server leaks protected fields via LiveQuery afterEvent trigger

Published Mar 18, 2026
MAL-2025-191189

Malicious code in @antstackio/graphql-body-parser (npm)

Published Nov 25, 2025
MAL-2025-4580

Malicious code in style-value-parser (npm)

Published May 26, 2025
CVE-2021-3666CRITICAL

body-parser-xml vulnerable to Prototype Pollution

Published Sep 14, 2021
GHSA-3h52-cx59-c456

OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Published Mar 29, 2026
MAL-2025-192862

Malicious code in session-parse (npm)

Published Dec 23, 2025
MAL-2025-3578

Malicious code in discord-json-parser (npm)

Published May 2, 2025
CVE-2026-32886

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Published Mar 17, 2026
CVE-2024-29651HIGH

json-schema-ref-parser Prototype Pollution issue

Published May 20, 2024
MAL-2022-5046

Malicious code in ok-message-parser (npm)

Published Jun 20, 2022
CVE-2026-32248

Parse Server: Account takeover via operator injection in authentication data identifier

Published Mar 12, 2026
MAL-2022-2599

Malicious code in dtdl-parser (npm)

Published Jun 20, 2022
MAL-2022-537

Malicious code in @puresec/addressparser-malicious (npm)

Published Jul 8, 2022
CVE-2026-33323

Parse Server email verification resend page leaks user existence

Published Mar 19, 2026
MAL-2025-191581

Malicious code in react-adparser (npm)

Published Dec 1, 2025
MAL-2025-192651

Malicious code in viktorparserctf5 (npm)

Published Dec 19, 2025
MAL-2025-192652

Malicious code in viktorparserctf6 (npm)

Published Dec 19, 2025
MAL-2026-67

Malicious code in redis-cookie-parser (npm)

Published Jan 6, 2026
MAL-2026-71

Malicious code in redis-request-parser (npm)

Published Jan 6, 2026
CVE-2026-26278

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

Published Feb 17, 2026
CVE-2022-2218MEDIUM

Cross site scripting in parse-url

Published Jun 28, 2022
CVE-2024-6376

ejson shell parser in MongoDB Compass maybe bypassed

Published Jul 1, 2024
CVE-2026-34595MEDIUM
Risk: 21.51/100

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Published Apr 1, 2026
CVE-2026-33228

Prototype Pollution via parse() in NodeJS flatted

Published Mar 19, 2026
MAL-2025-192465

Malicious code in tnaparserxml (npm)

Published Dec 11, 2025
MAL-2025-192466

Malicious code in tnaxmlparserctf (npm)

Published Dec 11, 2025
MAL-2025-192552

Malicious code in hfruitmaliciousxmlparser (npm)

Published Dec 12, 2025
CVE-2026-32242

Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance

Published Mar 12, 2026
MAL-2025-192863

Malicious code in smart-parser (npm)

Published Dec 23, 2025
CVE-2026-30228

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Published Mar 6, 2026
CVE-2020-7793HIGH

ua-parser-js Regular Expression Denial of Service vulnerability

Published Feb 9, 2022
CVE-2022-0722HIGH

Hostname confusion in parse-url

Published Jun 28, 2022
MAL-2022-2355

Malicious code in datetime-moment-parser (npm)

Published Jun 20, 2022
MAL-2022-3462

Malicious code in grgtgparse (npm)

Published Aug 19, 2022
CVE-2022-0512MEDIUM

Authorization bypass in url-parse

Published Feb 15, 2022
CVE-2024-9506

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function

Published Oct 15, 2024
CVE-2026-22774

Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

Published Jan 15, 2026
CVE-2017-16086HIGH

ReDoS via long UserAgent header in ua-parser

Published Jul 24, 2018
CVE-2026-29182

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Published Mar 5, 2026
CVE-2021-41109HIGH

LiveQuery publishes user session tokens in parse-server

Published Sep 30, 2021
CVE-2022-25901MEDIUM

cookiejar Regular Expression Denial of Service via Cookie.parse function

Published Jan 18, 2023
CVE-2026-34784HIGH
Risk: 37.51/100

Parser Server's streaming file download bypasses afterFind file trigger authorization

Published Apr 1, 2026
MAL-2025-190641

Malicious code in @asyncapi/protobuf-schema-parser (npm)

Published Nov 24, 2025
MAL-2022-5428

Malicious code in postcsssafeparsear (npm)

Published Aug 19, 2022
GHSA-rcmh-qjqh-p98v

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls

Published Dec 1, 2025
MAL-2025-190661

Malicious code in @asyncapi/multi-parser (npm)

Published Nov 24, 2025
MAL-2025-49427

Malicious code in otetoparserlparser (npm)

Published Nov 9, 2025
CVE-2021-39187HIGH

Parse Server crashes with query parameter

Published Sep 2, 2021
MAL-2025-192546

Malicious code in cfruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2022-1326

Malicious code in azure-dtdl-parser-samples-js-beta (npm)

Published Jun 20, 2022
MAL-2026-203

Malicious code in body-parser-js (npm)

Published Jan 12, 2026
MAL-2023-539

Malicious code in js-cookie-parser (npm)

Published Jun 29, 2023
MAL-2025-192548

Malicious code in efruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2025-192549

Malicious code in ffruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2025-192550

Malicious code in fruit-malicious-xml-parser (npm)

Published Dec 12, 2025
MAL-2025-192551

Malicious code in gfruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2025-192636

Malicious code in ppppparserfruit (npm)

Published Dec 19, 2025
MAL-2025-192646

Malicious code in viktor-xml-parser (npm)

Published Dec 19, 2025
MAL-2025-192647

Malicious code in viktorparserctf (npm)

Published Dec 19, 2025
MAL-2025-192649

Malicious code in viktorparserctf3 (npm)

Published Dec 19, 2025
MAL-2025-192654

Malicious code in viktorparserctf8 (npm)

Published Dec 19, 2025
MAL-2025-192655

Malicious code in viktorparserctf9 (npm)

Published Dec 19, 2025
MAL-2022-4846

Malicious code in nginx-data-transfer-parser (npm)

Published Jun 20, 2022
MAL-2022-6823

Malicious code in url-w.parse (npm)

Published Aug 19, 2022
CVE-2023-37478HIGH

pnpm incorrectly parses tar archives relative to specification

Published Aug 1, 2023
CVE-2021-26543HIGH

Command injection in git-parse

Published Feb 10, 2022
CVE-2026-35200MEDIUM
Risk: 30.18/100

Parse Server: File upload Content-Type override via extension mismatch

Published Apr 4, 2026
CVE-2026-34224MEDIUM
Risk: 22.01/100

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Published Mar 29, 2026
MAL-2022-3692

Malicious code in htlparsevr2 (npm)

Published Aug 19, 2022
MAL-2023-304

Malicious code in elliptic-parser (npm)

Published Jun 13, 2023
MAL-2023-889

Malicious code in ticket-parser2 (npm)

Published Jan 30, 2023
MAL-2023-890

Malicious code in ticket-parser2-py3 (npm)

Published Jan 30, 2023
MAL-2026-1213

Malicious code in turbo-json-parser (npm)

Published Mar 3, 2026
MAL-2025-190639

Malicious code in @asyncapi/openapi-schema-parser (npm)

Published Nov 24, 2025
MAL-2025-190640

Malicious code in @asyncapi/parser (npm)

Published Nov 24, 2025
MAL-2026-1467

Malicious code in n8n-nodes-csv-parse (npm)

Published Mar 16, 2026
CVE-2021-39138MEDIUM

parse-server new anonymous user session acts as if it's created with password

Published Aug 23, 2021
CVE-2026-32141

flatted vulnerable to unbounded recursion DoS in parse() revive phase

Published Mar 13, 2026
MAL-2025-15924

Malicious code in boby_parser (npm)

Published Aug 14, 2025
MAL-2025-190496

Malicious code in loger-parser (npm)

Published Nov 14, 2025
MAL-2025-190646

Malicious code in @postman/csv-parse (npm)

Published Nov 24, 2025
MAL-2022-4117

Malicious code in katt-blueprint-parser (npm)

Published Aug 16, 2022
MAL-2024-12107

Malicious code in bridge-transaction-parser-hop400 (npm)

Published Dec 23, 2024
MAL-2025-192547

Malicious code in dfruitmaliciousxmlparser (npm)

Published Dec 12, 2025
MAL-2022-4208

Malicious code in koabodparser (npm)

Published Aug 19, 2022
MAL-2024-1377

Malicious code in cors-parser (npm)

Published May 20, 2024
MAL-2025-3212

Malicious code in glog-parser (npm)

Published Apr 15, 2025
CVE-2026-31808

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

Published Mar 10, 2026
CVE-2026-30972

Parse Server has a rate limit bypass via batch request endpoint

Published Mar 11, 2026
CVE-2026-34574MEDIUM
Risk: 27.01/100

Parse Server has a session field immutability bypass via falsy-value guard

Published Apr 1, 2026
GHSA-gh4j-gqv2-49f6

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

Published Apr 22, 2026
CVE-2026-34573HIGH
Risk: 37.52/100

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Published Mar 31, 2026
MAL-2025-4827

Malicious code in eslint-parser-vue (npm)

Published Jun 10, 2025
CVE-2026-31872

Parse Server has a protected fields bypass via dot-notation in query and sort

Published Mar 11, 2026
CVE-2026-34532CRITICAL
Risk: 45.51/100

parse-server has cloud function validator bypass via prototype chain traversal

Published Mar 31, 2026
MAL-2022-3065

Malicious code in fk-ua-parser (npm)

Published Jun 20, 2022
MAL-2025-49446

Malicious code in supxmlparser (npm)

Published Nov 9, 2025
MAL-2025-190870

Malicious code in @mparpaillon/connector-parse (npm)

Published Nov 24, 2025
MAL-2025-4644

Malicious code in https-parse (npm)

Published Jun 3, 2025
MAL-2025-47870

Malicious code in vite-plugin-parse-js (npm)

Published Oct 1, 2025
MAL-2025-48461

Malicious code in @shopify.com/shopifyql-parser (npm)

Published Oct 18, 2025
MAL-2025-48463

Malicious code in shopifyql-parser (npm)

Published Oct 18, 2025
MAL-2025-5958

Malicious code in string-parser-utils (npm)

Published Jul 15, 2025
MAL-2025-192246

Malicious code in remark-parse10 (npm)

Published Dec 3, 2025
MAL-2025-48309

Malicious code in vite-plugin-parse (npm)

Published Oct 10, 2025
MAL-2026-1925

Malicious code in jsonify-parser (npm)

Published Mar 19, 2026
MAL-2025-192611

Malicious code in ctfparsertna (npm)

Published Dec 19, 2025
MAL-2025-192648

Malicious code in viktorparserctf2 (npm)

Published Dec 19, 2025
MAL-2026-678

Malicious code in cookie-parsers-env (npm)

Published Feb 3, 2026
MAL-2025-48006

Malicious code in toskasldfjaldf-parser (npm)

Published Oct 4, 2025
MAL-2026-1962

Malicious code in parsejson-pro (npm)

Published Mar 20, 2026
MAL-2026-1968

Malicious code in safe-json-parsex (npm)

Published Mar 20, 2026
MAL-2026-1952

Malicious code in json-parse-genie (npm)

Published Mar 20, 2026
MAL-2026-967

Malicious code in parse-compat (npm)

Published Feb 20, 2026
Check your entire dependency tree at onceRun dependency scan →