CVE-2026-30848

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30848
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
History

10 Mar 2026, 16:56

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 3.7
References () https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh - () https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh - Vendor Advisory
CPE cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
First Time Parseplatform
Parseplatform parse-server
Summary
  • (es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.8 y 9.5.0-alpha.8, la ruta de servicio de archivos estáticos de PagesRouter es vulnerable a un ataque de salto de ruta que permite la lectura no autenticada de archivos fuera del directorio pagesPath configurado. La verificación de límites utiliza una comparación de prefijo de cadena sin aplicar un límite de separador de directorio. Un atacante puede usar secuencias de salto de ruta para acceder a archivos en directorios hermanos cuyos nombres comparten el mismo prefijo que el directorio pages (por ejemplo, pages-secret comienza con pages). Este problema ha sido parcheado en las versiones 8.6.8 y 9.5.0-alpha.8.

07 Mar 2026, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-07 17:15

Updated : 2026-03-10 16:56

NVD link : CVE-2026-30848

Mitre link : CVE-2026-30848

CVE.ORG link : CVE-2026-30848

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')