Main Vulnerability Database SB2026040790

SB2026040790 - Inclusion of Functionality from Untrusted Control Sphere in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040790

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: N/A)

The vulnerability allows a remote user to introduce unreviewed code into deployments.

The vulnerability exists due to improper control of version tags in the repository metadata in parse-server version tags when resolving a dependency from affected git tags. A remote user can reference a repository dependency pinned to an incorrect version tag to introduce unreviewed code into deployments.

The issue affects environments that install Parse Server directly from git version tags, and Bitnami images may also be affected if they incorporated the incorrect 4.9.3 tag.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w