Main Vulnerability Database Vulnerabilities #VU124965

Inclusion of Functionality from Untrusted Control Sphere in Parse Server - #VU124965

Published: April 6, 2026

Vulnerability identifier: #VU124965

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-829

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Parse Community

Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to introduce unreviewed code into deployments.

The vulnerability exists due to improper control of version tags in the repository metadata in parse-server version tags when resolving a dependency from affected git tags. A remote user can reference a repository dependency pinned to an incorrect version tag to introduce unreviewed code into deployments.

The issue affects environments that install Parse Server directly from git version tags, and Bitnami images may also be affected if they incorporated the incorrect 4.9.3 tag.

Remediation

Install security update from vendor's website.

Sources

https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w

Inclusion of Functionality from Untrusted Control Sphere in Parse Server - #VU124965

Detailed vulnerability description

Remediation

Sources

Please verify you're human