CVE-2026-57480
CVE-2026-57480 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. The underlying weakness is classified as CWE-407.
Key facts
- Severity: High (CVSS 4.0 base score 8.7)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-407
- Published:
- Last modified:
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
Frequently asked questions
- What is CVE-2026-57480?
- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
- How severe is CVE-2026-57480?
- CVE-2026-57480 has a CVSS 4.0 base score of 8.7, rated high severity.
- Is CVE-2026-57480 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-57480?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2026-57480 published?
- CVE-2026-57480 was published on 2026-07-08.
References
- https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b
- https://github.com/parse-community/parse-server/commit/1103c7a890e0455ba3dccd4bc5db17efe1789c9a
- https://github.com/parse-community/parse-server/pull/10511
- https://github.com/parse-community/parse-server/pull/10512
- https://github.com/parse-community/parse-server/releases/tag/8.6.82
- https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.12
- https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8
Other CWE-407 vulnerabilities
- CVE-2026-55206 — High (CVSS 8.7): py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and…
- CVE-2026-59880 — High (CVSS 8.7): Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and…
- CVE-2026-58226 — High (CVSS 8.7): Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via…
- CVE-2026-54892 — High (CVSS 8.7): Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to…
- CVE-2026-56669 — High (CVSS 7.5): Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server…
- CVE-2026-59928 — High (CVSS 7.5): Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many…