CVE-2026-33323 in parse-serverinfo

Zusammenfassung

von MITRE • 24.03.2026

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

18.03.2026

Veröffentlichung

24.03.2026

Moderieren

akzeptiert

Eintrag

VDB-352846

CPE

bereit

CWE

CWE-204 (bestätigt)

CVSS

5.3 (NVD)

EPSS

0.00051

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-33323
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-33323
CVE Details	https://www.cvedetails.com/cve/CVE-2026-33323/

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!