CVE-2026-47138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
Summary
Parse Server, an open source backend framework that runs on Node.js, has a vulnerability where attackers can send specially crafted HTTP requests that cause the server to spend seconds or minutes processing a single request before checking user permissions or rate limits. An attacker only needs to know the application's public ID and can overload the server by sending a few concurrent requests or one large request, making it slow or unresponsive for legitimate users.
Solution / Mitigation
Update Parse Server to version 8.6.77 or 9.9.1-alpha.1 or later, as this issue has been patched in these versions.
Vulnerability Details
EPSS: 0.2%
June 12, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-47138
First tracked: June 12, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 75%