CVE-2026-31840

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.2 and 8.6.28

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to SQL injection when using PostgreSQL databases. An attacker can exploit this by utilizing a dot-notation field name in conjunction with the sort query parameter. This allows for the injection of SQL code due to improper escaping of sub-field values within dot-notation queries. The issue potentially affects queries employing dot-notation field names alongside the distinct and where query parameters. The injection occurs through the use of a dot-notation field name and the sort parameter.

Recommendations Versions prior to 9.6.0-alpha.2 should be updated to 9.6.0-alpha.2 or later. Versions prior to 8.6.28 should be updated to 8.6.28 or later.