Main Vulnerability Database Vulnerabilities #VU124993

#VU124993 Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-30941

Published: April 6, 2026

Vulnerability identifier: #VU124993

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-30941

CWE-ID: CWE-943

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in data query logic in the password reset and email verification resend endpoints when processing the token field in requests. A remote attacker can send a specially crafted token value with MongoDB query operators to disclose sensitive information.

When emailVerifyTokenReuseIfValid is configured, the extracted email verification token can be used to verify a user's email address without inbox access.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588

#VU124993 Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-30941

Description

Remediation

External links

Please verify you're human