ByteOS Network

NVD Vulnerability Details :

CVE-2026-27609

Analyzed

Source-security-advisories@github.com

Published At-25 Feb, 2026 | 03:16

Updated At-27 Feb, 2026 | 19:16

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.3	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Type: Secondary

Version: 4.0

Base score: 8.3

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CPE Matches

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.42:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.43:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.44:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.5:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.6:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.7:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.8:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.9:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.3.0-alpha.42

cpe:2.3:a:parseplatform:parse_dashboard:7.3.0-alpha.42:*:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.4.0

cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.4.0

cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.2:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.4.0

cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.3:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.4.0

cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.4:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.4.0

cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.5:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.5.0

cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.5.0

cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.2:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.10:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.11:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.12:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.13:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.2:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.3:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.4:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.5:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.6:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.7:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.8:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>7.6.0

cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.9:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.2:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.3:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.4:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.5:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.0.0

cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.6:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.10:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.11:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.12:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.13:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.2:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.3:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.4:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.5:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.6:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.7:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.8:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.0

cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.9:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.1.1

cpe:2.3:a:parseplatform:parse_dashboard:8.1.1:alpha.1:*:*:*:node.js:*:*

parseplatform>>parse_dashboard>>8.2.0

cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.1:*:*:*:node.js:*:*

Weaknesses

CWE ID	Type	Source
CWE-352	Primary	security-advisories@github.com

CWE ID: CWE-352

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8	security-advisories@github.com	Release Notes
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Source: security-advisories@github.com

Resource:

Release Notes

Hyperlink: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc

Source: security-advisories@github.com

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History