Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-43930
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-12 May, 2026 | 14:17
Updated At-26 May, 2026 | 16:39

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
parseplatform
parseplatform
>>parse-server>>Versions before 8.6.76(exclusive)
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>Versions from 9.0.0(inclusive) to 9.9.0(exclusive)
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse-server>>9.9.0
cpe:2.3:a:parseplatform:parse-server:9.9.0:alpha1:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-362Primarysecurity-advisories@github.com
CWE ID: CWE-362
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/parse-community/parse-server/pull/10448security-advisories@github.com
Issue Tracking
Patch
https://github.com/parse-community/parse-server/pull/10449security-advisories@github.com
Issue Tracking
Patch
https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fjsecurity-advisories@github.com
Mitigation
Vendor Advisory
Hyperlink: https://github.com/parse-community/parse-server/pull/10448
Source: security-advisories@github.com
Resource:
Issue Tracking
Patch
Hyperlink: https://github.com/parse-community/parse-server/pull/10449
Source: security-advisories@github.com
Resource:
Issue Tracking
Patch
Hyperlink: https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj
Source: security-advisories@github.com
Resource:
Mitigation
Vendor Advisory
Change History
0Changes found
Details not found