QSearchQSearch

CVE-2026-47248

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CWE
CWE-209

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-40997 Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semant... (5.3 MEDIUM)
  • CVE-2026-41730 Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer intern... (5.3 MEDIUM)
  • CVE-2025-52611 HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability (3.1 LOW)
  • CVE-2025-52606 HCL iControl was affected by Weak Input Validation vulnerability (4.3 MEDIUM)
  • CVE-2026-9794 A flaw was found in Keycloak (5.3 MEDIUM)