{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T22:42:56.102","vulnerabilities":[{"cve":{"id":"CVE-2026-30965","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T21:16:48.820","lastModified":"2026-03-11T15:31:39.400","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.8 y 8.6.21, una vulnerabilidad en el manejo de consultas de Parse Server permite a un atacante autenticado o no autenticado exfiltrar tokens de sesión de otros usuarios explotando el parámetro de consulta redirectClassNameForKey. Los tokens de sesión exfiltrados pueden ser usados para tomar el control de cuentas de usuario. La vulnerabilidad requiere que el atacante pueda crear o actualizar un objeto con un nuevo campo de relación, lo cual depende de los Permisos a Nivel de Clase de al menos una clase. Esta vulnerabilidad está corregida en 9.5.2-alpha.8 y 8.6.21."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.21","matchCriteriaId":"7D18B8D4-DC43-4F34-B68A-241F384AF08F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.5.2","matchCriteriaId":"E66572ED-597B-4D8E-A636-733D463A4E4D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"601B2CF1-D29A-42CC-8405-185C1A8E1EB2"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"BC9F2B9D-026F-454B-B565-05AA441FA54F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"FDDB20F1-F6A7-4B1E-B075-CC250613D826"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"19B7C5A9-B59A-4A47-B4F0-13C7C796B496"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.21","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f","source":"security-advisories@github.com","tags":["Vendor Advisory","Mitigation"]}]}}]}