Main Vulnerability Database Vulnerabilities #VU124965

#VU124965 Inclusion of Functionality from Untrusted Control Sphere in Parse Server

Published: April 6, 2026

Vulnerability identifier: #VU124965

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-829

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote user to introduce unreviewed code into deployments.

The vulnerability exists due to improper control of version tags in the repository metadata in parse-server version tags when resolving a dependency from affected git tags. A remote user can reference a repository dependency pinned to an incorrect version tag to introduce unreviewed code into deployments.

The issue affects environments that install Parse Server directly from git version tags, and Bitnami images may also be affected if they incorporated the incorrect 4.9.3 tag.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w

#VU124965 Inclusion of Functionality from Untrusted Control Sphere in Parse Server

Description

Remediation

External links

Please verify you're human