Description
Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
Published: 2026-06-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server versions prior to 4.10.0 contain a supply chain flaw where incorrect git tags were pushed to the repository pointing to unreviewed code in a personal fork. An attacker can specify such malicious tags in dependency declarations, causing the server to install and execute unauthorized code. This leads to arbitrary code execution on the host, compromising confidentiality, integrity, and availability of the affected system. The weakness is the misuse of untrusted code from an external source, corresponding to CWE‑494.

Affected Systems

The affected product is Parse Server from the parse-community maintainers. All releases before version 4.10.0 are vulnerable, regardless of platform, as the issue resides in the package distribution process.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability that could allow remote code execution without user interaction. EPSS is not reported, but the lack of an official KEV listing suggests the vulnerability has not yet been publicly exploited at scale. The likely attack vector is through supply‑chain manipulation via dependency manifests, allowing an attacker to control which code is fetched and installed.

Generated by OpenCVE AI on June 25, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 4.10.0 or later to eliminate the supply chain flaw.
  • Re‑install all dependencies after cleaning the npm cache and verify that all referenced tags correspond to official, signed releases.
  • Use npm audit, package-lock validation, or yarn --frozen-lockfile to enforce integrity of dependencies and prevent the introduction of unreviewed code.

Generated by OpenCVE AI on June 25, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
Title Parse Server - Unreviewed Code Execution via Malicious Version Tags
First Time appeared Parseplatform
Parseplatform parse-server
Weaknesses CWE-494
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T10:38:03.663Z

Reserved: 2026-06-21T02:08:33.231Z

Link: CVE-2021-47986

cve-icon Vulnrichment

Updated: 2026-06-26T10:37:58.119Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:30:17Z

Weaknesses
  • CWE-494

    Download of Code Without Integrity Check