Description
Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
Published: 2026-06-25
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server versions prior to 4.10.0 contain a supply chain flaw where incorrect git tags were pushed to the repository pointing to unreviewed code in a personal fork. An attacker can specify such malicious tags in dependency declarations, causing the server to install and execute unauthorized code. This leads to arbitrary code execution on the host, compromising confidentiality, integrity, and availability of the affected system. The weakness is the misuse of untrusted code from an external source, corresponding to CWE‑494.

Affected Systems

The affected product is Parse Server from the parse-community maintainers. All releases before version 4.10.0 are vulnerable, regardless of platform, as the issue resides in the package distribution process.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability that could allow remote code execution without user interaction. EPSS is not reported, but the lack of an official KEV listing suggests the vulnerability has not yet been publicly exploited at scale. The likely attack vector is through supply‑chain manipulation via dependency manifests, allowing an attacker to control which code is fetched and installed.

Generated by OpenCVE AI on June 25, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 4.10.0 or later to eliminate the supply chain flaw.
  • Re‑install all dependencies after cleaning the npm cache and verify that all referenced tags correspond to official, signed releases.
  • Use npm audit, package-lock validation, or yarn --frozen-lockfile to enforce integrity of dependencies and prevent the introduction of unreviewed code.

Generated by OpenCVE AI on June 25, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
Title Parse Server - Unreviewed Code Execution via Malicious Version Tags
First Time appeared Parseplatform
Parseplatform parse-server
Weaknesses CWE-494
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T21:41:01.502Z

Reserved: 2026-06-21T02:08:33.231Z

Link: CVE-2021-47986

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:30:16Z

Weaknesses
  • CWE-494

    Download of Code Without Integrity Check