Publish Advisories

GHSA-p7fw-vjjm-2rwp
GHSA-6q5m-63h6-5x4v
GHSA-6qh5-m6g3-xhq6
GHSA-9fjp-q3c4-6w3j
GHSA-9r5m-9576-7f6x
GHSA-c83f-3xp6-hfcp
GHSA-f7xc-5852-fj99
GHSA-fph2-r4qg-9576
GHSA-h29g-q5c2-9h4f
GHSA-jc39-686j-wp6q
GHSA-pfj7-wv7c-22pr
GHSA-qpc3-fg4j-8hgm

Author: advisory-database[bot]

advisories/github-reviewed/2025/06/GHSA-p7fw-vjjm-2rwp/GHSA-p7fw-vjjm-2rwp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p7fw-vjjm-2rwp",
-  "modified": "2026-01-15T17:48:08Z",
+  "modified": "2026-03-30T13:54:07Z",
   "published": "2025-06-26T21:12:45Z",
   "aliases": [
     "CVE-2025-52890"

advisories/github-reviewed/2026/03/GHSA-6q5m-63h6-5x4v/GHSA-6q5m-63h6-5x4v.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6q5m-63h6-5x4v",
-  "modified": "2026-03-25T17:44:23Z",
+  "modified": "2026-03-30T13:53:32Z",
   "published": "2026-03-25T17:44:23Z",
   "aliases": [
     "CVE-2026-33287"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33287"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d"
@@ -57,6 +61,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-25T17:44:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-26T01:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-6qh5-m6g3-xhq6/GHSA-6qh5-m6g3-xhq6.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6qh5-m6g3-xhq6",
-  "modified": "2026-03-20T21:48:17Z",
+  "modified": "2026-03-30T13:51:41Z",
   "published": "2026-03-20T21:48:17Z",
   "aliases": [
     "CVE-2026-33508"
   ],
   "summary": "Parse Server LiveQuery subscription query depth bypass",
   "details": "### Impact\n\nParse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.\n\nDeployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.\n\n### Patches\n\nThe fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
@@ -59,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10259"
@@ -67,6 +75,14 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10260"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +95,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T21:48:17Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T19:16:54Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-9fjp-q3c4-6w3j/GHSA-9fjp-q3c4-6w3j.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9fjp-q3c4-6w3j",
-  "modified": "2026-03-20T20:56:22Z",
+  "modified": "2026-03-30T13:51:36Z",
   "published": "2026-03-20T20:56:22Z",
   "aliases": [
     "CVE-2026-33498"
   ],
   "summary": "Parse Server has a query condition depth bypass via pre-validation transform pipeline",
   "details": "### Impact\n\nAn attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.\n\n### Patches\n\nThe query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.\n\n### Workarounds\n\nNone.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
@@ -59,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10257"
@@ -67,6 +75,14 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10258"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +95,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T20:56:22Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T19:16:54Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-9r5m-9576-7f6x/GHSA-9r5m-9576-7f6x.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9r5m-9576-7f6x",
-  "modified": "2026-03-25T17:40:53Z",
+  "modified": "2026-03-30T13:53:35Z",
   "published": "2026-03-25T17:40:53Z",
   "aliases": [
     "CVE-2026-33285"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33285"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578"
@@ -57,6 +61,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-25T17:40:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-26T01:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-c83f-3xp6-hfcp/GHSA-c83f-3xp6-hfcp.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c83f-3xp6-hfcp",
-  "modified": "2026-03-25T22:00:13Z",
+  "modified": "2026-03-30T13:53:47Z",
   "published": "2026-03-25T22:00:13Z",
   "aliases": [
     "CVE-2026-33182"
   ],
   "summary": "Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL",
   "details": "### Impact\nUsers providing user generated input into the `resolveEndpoint` method on requests.\n\n### Patches\nUpgrade to Saloon v4+\n\nUpgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4\n\n### Description\nWhen building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL (e.g. https://attacker.example.com/callback), the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix (in the next major version) is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis.\n\n### Credits\nSaloon thanks @HuajiHD for finding the issue and recommending solutions and @JonPurvis for applying the fix.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -35,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33182"
+    },
     {
       "type": "WEB",
       "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"
@@ -52,6 +61,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-25T22:00:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-26T01:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-f7xc-5852-fj99/GHSA-f7xc-5852-fj99.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f7xc-5852-fj99",
-  "modified": "2026-03-25T22:00:43Z",
+  "modified": "2026-03-30T13:53:42Z",
   "published": "2026-03-25T22:00:43Z",
   "aliases": [
     "CVE-2026-33183"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33183"
+    },
     {
       "type": "WEB",
       "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"
@@ -52,11 +56,12 @@
   "database_specific": {
     "cwe_ids": [
       "CWE-125",
+      "CWE-22",
       "CWE-787"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-25T22:00:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-26T01:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-fph2-r4qg-9576/GHSA-fph2-r4qg-9576.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fph2-r4qg-9576",
-  "modified": "2026-03-20T20:44:36Z",
+  "modified": "2026-03-30T13:51:19Z",
   "published": "2026-03-20T20:44:36Z",
   "aliases": [
     "CVE-2026-33421"
   ],
   "summary": "Parse Server's LiveQuery bypasses CLP pointer permission enforcement",
   "details": "### Impact\n\nParse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (`readUserFields` and `pointerFields`). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API.\n\n### Patches\n\nThe LiveQuery server now enforces pointer permissions on each event. After the existing check passes (which defers pointer permissions by design), the fix checks whether any configured pointer field on the object points to the subscribing user. Events for objects that don't match are silently skipped, consistent with how ACL mismatches are handled.\n\n### Workarounds\n\nUse ACLs on individual objects to restrict read access instead of relying solely on CLP pointer permissions. ACLs are enforced by LiveQuery.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -59,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10250"
@@ -67,6 +75,14 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10252"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +95,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T20:44:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T19:16:53Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-h29g-q5c2-9h4f/GHSA-h29g-q5c2-9h4f.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h29g-q5c2-9h4f",
-  "modified": "2026-03-19T18:21:18Z",
+  "modified": "2026-03-30T13:51:06Z",
   "published": "2026-03-19T18:21:18Z",
   "aliases": [
     "CVE-2026-33323"
   ],
   "summary": "Parse Server email verification resend page leaks user existence",
   "details": "### Impact\n\nThe Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route against this, did not apply to these routes.\n\n### Patches\n\nThe email verification resend routes now respect the `emailVerifySuccessOnInvalidEmail` option. When set to `true` (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration.\n\n### Workarounds\n\nThere is no known workaround to prevent the information disclosure other than upgrading.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -59,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10238"
@@ -67,6 +75,14 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10243"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +95,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T18:21:18Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T19:16:52Z"
   }
 }