CVE-2026-31840
CRITICAL EPSS 32.6%
Published Mar 11, 20263mo ago · Modified Mar 13, 20263mo ago
9.3 CVSS 4.0
Published Mar 11, 2026 3mo ago
Last Modified Mar 13, 2026 3mo ago
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
32.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-89 SQL Injection Injection
Affected Products 3
| Vendor | Product | Version | Range |
|---|---|---|---|
| parseplatform | parse-server | * | <8.6.28 |
| parseplatform | parse-server | * | ≥9.0.0 – <9.6.0 |
| parseplatform | parse-server | 9.6.0 | any |
References 3
- github.com https://github.com/parse-community/parse-server/releases/tag/8.6.28
- github.com https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2
- github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27
Remediation
- github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27