{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30848", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-07T16:20:22.220Z", "dateUpdated": "2026-03-09T18:25:17.931Z"}, "containers": {"cna": {"title": "Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.8", "status": "affected"}, {"version": "< 9.5.0-alpha.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:20:22.220Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8."}], "source": {"advisory": "GHSA-hm3f-q6rw-m6wh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:38:49.481521Z", "id": "CVE-2026-30848", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:25:17.931Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:38:49.481521Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:38:51.166Z"}}], "cna": {"title": "Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory", "source": {"advisory": "GHSA-hm3f-q6rw-m6wh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.8"}, {"status": "affected", "version": "< 9.5.0-alpha.8"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:20:22.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30848", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:25:17.931Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:20:22.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7BAC0476-CA4F-42DB-BDA2-365203EDCAA7", "versionEndExcluding": "8.6.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77A07A2F-C8ED-4D78-A9C0-66AB42F69F38", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3E9F95CF-EEE1-42FC-904E-321F05E3DE4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "5C02D6F0-5A3A-45F5-8A74-F75A8CCAE7DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "103C9745-031B-4822-A19C-A61375FBB1AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "8D67029D-C1BD-4D46-A84F-C52B4D364268", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "3B10930D-B416-4D9A-BA26-F0AD22BFAE28", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "72794836-5CFB-4928-BB22-D7DE813809B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "FA2C4C1E-3AE6-48E0-8B59-80554AE85BB0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.8 y 9.5.0-alpha.8, la ruta de servicio de archivos est\u00e1ticos de PagesRouter es vulnerable a un ataque de salto de ruta que permite la lectura no autenticada de archivos fuera del directorio pagesPath configurado. La verificaci\u00f3n de l\u00edmites utiliza una comparaci\u00f3n de prefijo de cadena sin aplicar un l\u00edmite de separador de directorio. Un atacante puede usar secuencias de salto de ruta para acceder a archivos en directorios hermanos cuyos nombres comparten el mismo prefijo que el directorio pages (por ejemplo, pages-secret comienza con pages). Este problema ha sido parcheado en las versiones 8.6.8 y 9.5.0-alpha.8."}], "id": "CVE-2026-30848", "lastModified": "2026-03-10T16:56:59.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T17:15:52.190", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.5.0-alpha.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-17T12:07:33.804768+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.8 or later, or to 9.5.0\u2011alpha.8 or later, where the path traversal bug has been fixed.", "If immediate upgrade is not possible, choose a pagesPath directory name that does not share a common prefix with any adjacent directories and confirm the path is validated before use.", "Restrict external access to the PagesRouter endpoint by configuring firewall rules or a reverse proxy to limit traffic to trusted hosts, thereby reducing the attack surface."], "summary": {"action": "Patch", "impact": "Unauthenticated file disclosure via path traversal"}, "threat_synthesis": {"affected_systems": "The issue affects parse-community Parse Server versions prior to 8.6.8 and 9.5.0\u2011alpha.8. In particular, release cpes list includes 9.5.0\u2011alpha1 through alpha7 and earlier 8.x series. Systems running those builds that expose the PagesRouter route publicly are vulnerable.", "description_and_impact": "Parse Server\u2019s PagesRouter static file serving route performed a bounding check using only a string prefix comparison, neglecting to enforce a directory separator boundary. The vulnerability permits unauthenticated attackers to supply path traversal sequences that reference files located outside the configured pagesPath directory. The result is that arbitrary files residing in sibling directories whose names share the same prefix as the pages directory can be read, exposing potentially confidential data. This weakness is classified as a path traversal flaw (CWE-22) and gives attackers read\u2011only access to files on the server.\nBased on the description, the attack vector is inferred to be an unauthenticated HTTP request to the PagesRouter endpoint. The exploit details are inferred from the description because the CVE does not provide explicit implementation steps.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3 (medium). EPSS is reported as less than 1\u202f%, indicating a very low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be an unauthenticated HTTP request to the exposed PagesRouter endpoint. An attacker can exploit the flaw by sending a crafted HTTP request to an exposed PagesRouter endpoint without authentication. Since the server trusts the requested path components, the attacker can traverse directories to read files such as configuration, secrets, or logs. The exploit details are inferred from the description because the CVE does not provide explicit implementation steps."}}}}, "created": "2026-03-09T10:04:59.535069+00:00", "updated": "2026-04-17T12:15:18.166597+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}