Skip to main content

Parse Server CVE-2021-47986

| EUVDEUVD-2021-34852 HIGH
Download of Code Without Integrity Check (CWE-494)
2026-06-25 VulnCheck GHSA-g938-h978-wf7v
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 23:04 EUVD
CVE Published
Jun 25, 2026 - 21:41 cve.org
HIGH 7.7

DescriptionCVE.org

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.

AnalysisAI

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-494. Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code. Affected products include: Parse-Community Parse-Server. Version information: before 4.10.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

CVE-2026-32242 HIGH POC
7.4 Mar 12

### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all

CVE-2026-30966 CRITICAL
10.0 Mar 10

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

CVE-2024-27298 CRITICAL
10.0 Mar 01

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2026-30863 CRITICAL
9.8 Mar 07

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula

CVE-2026-31840 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CVE-2026-31871 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

CVE-2026-31856 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

CVE-2023-36475 CRITICAL
9.8 Jun 28

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41878 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41879 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

Share

CVE-2021-47986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy