{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31840", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.078Z", "datePublished": "2026-03-11T16:53:17.164Z", "dateUpdated": "2026-03-11T17:38:08.164Z"}, "containers": {"cna": {"title": "Parse Server has a SQL injection via dot-notation field name in PostgreSQL", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0 < 9.6.0-alpha.2", "status": "affected"}, {"version": "< 8.6.28", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T16:53:17.164Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28."}], "source": {"advisory": "GHSA-qpr4-jrj4-6f27", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:37:24.007202Z", "id": "CVE-2026-31840", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:38:08.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T17:37:24.007202Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:37:49.571Z"}}], "cna": {"title": "Parse Server has a SQL injection via dot-notation field name in PostgreSQL", "source": {"advisory": "GHSA-qpr4-jrj4-6f27", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0 < 9.6.0-alpha.2"}, {"status": "affected", "version": "< 8.6.28"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T16:53:17.164Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31840", "state": "PUBLISHED", "dateUpdated": "2026-03-11T17:38:08.164Z", "dateReserved": "2026-03-09T17:41:56.078Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T16:53:17.164Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "44D9B286-2037-45E7-9C28-EEAAF8D8F843", "versionEndExcluding": "8.6.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A", "versionEndExcluding": "9.6.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.6.0-alpha.2 y 8.6.28, un atacante puede usar un nombre de campo con notaci\u00f3n de puntos en combinaci\u00f3n con el par\u00e1metro de consulta 'sort' para inyectar SQL en la base de datos PostgreSQL a trav\u00e9s de un escape incorrecto de valores de subcampo en consultas con notaci\u00f3n de puntos. La vulnerabilidad tambi\u00e9n puede afectar a las consultas que usan nombres de campo con notaci\u00f3n de puntos con los par\u00e1metros de consulta 'distinct' y 'where'. Esta vulnerabilidad solo afecta a los despliegues que usan una base de datos PostgreSQL. Esta vulnerabilidad est\u00e1 corregida en 9.6.0-alpha.2 y 8.6.28."}], "id": "CVE-2026-31840", "lastModified": "2026-03-13T18:54:46.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T17:16:58.447", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.6.0-alpha.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.28)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-03-17T17:09:51.891834+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 9.6.0\u2011alpha.2 or later, or to 8.6.28 or later, which includes the necessary escaping fixes.", "Verify your current Parse Server version and ensure it is at or above the patched releases.", "Monitor the vendor\u2019s releases page or the security advisory link for additional patches or updates.", "If upgrading is not immediately possible, temporarily restrict external write access to the Parse Server API until a patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability is limited to Parse Server deployments that use PostgreSQL and run any release prior to 9.6.0\u2011alpha.2 or 8.6.28. Both the 8.x and 9.x major series are affected. Deployments that have upgraded to the patched releases are not impacted. The affected products are provided by parse-community:parse-server and are listed in the CPE data as parse-server:* and parse-server:9.6.0:alpha1.", "description_and_impact": "Parse Server applies dot\u2011notation field names in query parameters such as sort, distinct, and where. The server fails to properly escape the sub\u2011field values when processing these dot\u2011notation queries against a PostgreSQL backend, allowing an attacker to inject arbitrary SQL. This flaw (CWE\u201189) enables attackers to read, modify, or delete data stored in the database and is therefore a critical vulnerability that compromises confidentiality, integrity, and potentially availability of the application data.", "risk_and_exploitability": "The CVSS score of 9.3 categorises this as a critical issue. The EPSS score is less than 1\u202f%, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating a low baseline exploitation probability in the wild. However, exploitation requires only the ability to send a crafted HTTP request to the Parse Server API, and authentication is not explicitly required by the description. Thus the attack vector is remote over the web API, and the potential impact is high due to the ability to execute arbitrary SQL statements against the database."}}}}, "created": "2026-03-12T09:57:44.414067+00:00", "updated": "2026-03-20T15:30:24.593720+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}