CVE-2026-32886

HIGH
2026-03-17 https://github.com/parse-community/parse-server GHSA-4263-jgmp-7pf4
Share

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch Released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 17:58 nvd
HIGH

Tags

Prototype Pollution Denial Of Service

Description

### Impact Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. ### Patches The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. ### Workarounds There is no known workaround.

Analysis

Parse Server is vulnerable to denial of service when remote attackers craft malicious cloud function names that exploit prototype chain traversal, allowing them to trigger stack overflows and crash the server process. The vulnerability stems from improper property lookup restrictions during function name resolution. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all Parse Server instances and cloud function endpoints; assess exposure to external/untrusted traffic. Within 7 days: Apply available vendor patch to all affected Parse Server deployments in non-production environments and validate functionality. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2026-32886 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy