CVE-2026-34373HIGH 8.8EPSS p10.1%

CVE-2026-34373CVE-2026-34373

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.20% probability of exploitation · percentile 10.1% · 2026-06-18T12:00:27Z
Published2026-03-31
Last modified2026-04-02

Underlying weaknesses· 1

CWE-346

References

  1. https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
  2. https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
  3. https://github.com/parse-community/parse-server/pull/10334
  4. https://github.com/parse-community/parse-server/pull/10335
  5. https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c

1

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33409
CVE
CVE-2026-31800
CVE
CVE-2026-30965
CVE
CVE-2026-30863
CVE
CVE-2026-30966
CVE
CVE-2026-30967
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.