Resource exhaustion in Parse-community Parse-server

CVE-2026-30946

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) thro…

EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.15, >= 9.0.0 < 9.5.2-alpha.2

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/releases/tag/8.6.15 (x_refsource_MISC)
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2 (x_refsource_MISC)