Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-33539
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-24 Mar, 2026 | 19:16
Updated At-25 Mar, 2026 | 21:18

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
parseplatform
parseplatform
>>parse-server>>Versions before 8.6.59(exclusive)
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>Versions from 9.0.0(inclusive) to 9.6.0(exclusive)
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha45:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha46:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha47:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha48:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha49:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha50:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha51:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.6.0
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha52:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarysecurity-advisories@github.com
CWE ID: CWE-89
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8csecurity-advisories@github.com
Patch
https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838esecurity-advisories@github.com
Patch
https://github.com/parse-community/parse-server/pull/10272security-advisories@github.com
Issue Tracking
https://github.com/parse-community/parse-server/pull/10273security-advisories@github.com
Issue Tracking
https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/parse-community/parse-server/pull/10272
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/parse-community/parse-server/pull/10273
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found