CVE-2026-30848

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.8 Parse Server versions prior to 9.5.0-alpha.8

Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a path traversal flaw in the PagesRouter static file serving route. This allows unauthenticated access to files outside the designated pagesPath directory. The issue stems from a string prefix comparison lacking directory separator enforcement, enabling attackers to access files in sibling directories with names sharing a prefix with the pages directory. The vulnerable route is susceptible to path traversal sequences.

Recommendations Update to Parse Server version 8.6.8 or later. Update to Parse Server version 9.5.0-alpha.8 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BIT-PARSE-2026-30848

CVE-2026-30848

GHSA-HM3F-Q6RW-M6WH

Affected Products

Parse Server

CVE-2026-30848

Weakness Enumeration

Related Identifiers

Affected Products

References · 11