Skip to main content

Parse Server CVE-2021-47987

| EUVDEUVD-2021-34853 HIGH
Download of Code Without Integrity Check (CWE-494)
2026-06-25 VulnCheck GHSA-h6qh-8r3c-pc9v
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 23:04 EUVD
CVE Published
Jun 25, 2026 - 21:41 cve.org
HIGH 7.7

DescriptionCVE.org

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.

AnalysisAI

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-494. Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out. Affected products include: Parse-Community Parse-Server. Version information: before 4.10.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

CVE-2026-32242 HIGH POC
7.4 Mar 12

### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all

CVE-2026-30966 CRITICAL
10.0 Mar 10

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

CVE-2024-27298 CRITICAL
10.0 Mar 01

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2026-30863 CRITICAL
9.8 Mar 07

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula

CVE-2026-31840 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CVE-2026-31871 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

CVE-2026-31856 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

CVE-2023-36475 CRITICAL
9.8 Jun 28

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41878 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41879 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

Share

CVE-2021-47987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy