Main Vulnerability Database Vulnerabilities #VU132208

Information Exposure Through an Error Message in parse-server - CVE-2026-47248

Published: May 23, 2026

Vulnerability identifier: #VU132208

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-47248

CWE-ID: CWE-209

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MeetFox

Affected software:
parse-server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to generation of error message containing sensitive information in the GraphQL endpoint when processing malformed GraphQL queries. A remote attacker can send malformed queries to disclose sensitive information.

Exploitation requires knowledge of the public application id. The issue can expose class names, field names, argument names, mutation names, and input-object fields through validation-error suggestions.

How to mitigate CVE-2026-47248

Install security update from vendor's website.

Sources

https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj

Information Exposure Through an Error Message in parse-server - CVE-2026-47248

Detailed vulnerability description

How to mitigate CVE-2026-47248

Sources

Please verify you're human