CVE-2026-31840

CRITICAL EPSS 32.6%
Published Mar 11, 20263mo ago · Modified Mar 13, 20263mo ago
9.3 CVSS 4.0
Critical
Find Similar
Published Mar 11, 2026 3mo ago
Last Modified Mar 13, 2026 3mo ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
32.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 3

VendorProductVersionRange
parseplatformparse-server* <8.6.28
parseplatformparse-server*≥9.0.0  –  <9.6.0
parseplatformparse-server9.6.0any

References 3

  • github.com https://github.com/parse-community/parse-server/releases/tag/8.6.28
    ProductRelease Notes
  • github.com https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2
    ProductRelease Notes
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27
    PatchVendor Advisory