Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.3

Parse Server: SQL injection in PostgreSQL database

GHSA-qpr4-jrj4-6f27 CVE-2026-31840 GHSA-qpr4-jrj4-6f27
Summary

Parse Server's database interaction with PostgreSQL doesn't properly protect against certain types of malicious input, potentially allowing an attacker to inject malicious SQL code. This issue only affects Parse Server users who store their data in a PostgreSQL database. To fix this, update to version 9.6.0-alpha.2 or 8.6.28, as no workarounds are available.

What to do
  • Update parse-server to version 9.6.0-alpha.2.
  • Update parse-server to version 8.6.28.
Affected software
VendorProductAffected versionsFix available
parse-server > 9.0.0 , <= 9.6.0-alpha.2 9.6.0-alpha.2
parse-server <= 8.6.28 8.6.28
parseplatform parse-server <= 8.6.28
parseplatform parse-server > 9.0.0 , <= 9.6.0
parseplatform parse-server 9.6.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combinati...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
ghsa CVSS4.0 9.3
Vulnerability type
CWE-89 SQL Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026