Primary

Context

Parse Server SQL Injection Vulnerability in PostgreSQL Deployments

Vulnerability

Patched

A SQL injection vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.6.0-alpha.2 and versions prior to 8.6.28. This vulnerability allows attackers to inject SQL into the PostgreSQL database by using a dot-notation field name with the sort query parameter, due to improper escaping of sub-field values in dot-notation queries. The issue may also arise with the distinct and where query parameters. The vulnerability only affects deployments using a PostgreSQL database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.2 or 8.6.28 to address this vulnerability.

Added: Mar 11, 2026, 5:21 PM

Updated: Mar 11, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.9

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.9

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server SQL Injection Vulnerability in PostgreSQL Deployments

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating